Let’s be clear about this: Zoom, the makers of a video conferencing app used by millions of people around the world, did not handle the discovery of a privacy vulnerability its software at all well.
A flaw in the Mac version of the company’s app was initially explained away as a “legitimate solution to a poor user experience problem, enabling our users to have faster, one-click-to-join meetings.”
That, and veiled criticism of the researcher who responsibly shared details of the problem with Zoom, did not go down well with computer users concerned that they could be tricked into joining a video conference with no warning, with their audio and webcam enabled.
I’m sure I wasn’t the only Mac user who was startled to find out that even after I had uninstalled the Zoom video conferencing app from my Mac, web server code Zoom had planted on my computer remained, allowing the software to be reinstalled without asking for my permission anytime I clicked on a Zoom meeting link.
Just listen to this edition of the “Smashing Security” podcast (recorded on Tuesday) to hear how pissed off I was:
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Band-Aids are the solution to this.
Sounding more and more like it.
Not for your butt, for the current—
Yes, exactly. Yes, yes, yes. Careful which hole you cover up.
Okay.
Smashing Security, episode 136: Oops, we created Iran's hacking exploit.
With Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 136. My name is Graham Cluley.
And I'm Carole Theriault. How are you, Mr. Cluley?
Oh, I'm all right, thanks. You're over in Canada at the moment, aren't you?
Yeah, did you notice? You missing me?
Oh, the whole country's missing you, Carole. It's gone to hell.
Actually, I'd like to do a shout out. I am in Canada, but I went and saw my Aunt Mimi, right? She held a big party on the weekend. Mimi? And you know what she told me?
She listens to the show every week.
She listens to the show every week.
No.
My aunt. Yeah, she listens every week and she loves it. So Mimi, shout out for you.
There you go. Goodness, Mimi listens to you, you.
Yeah, Mimi listens to you, you. Exactly. God, it's I've heard that before.
Now, people may have already noticed that we have a special guest who's joined us.
So Carole, you're all the way, you're far, far away in Canada, but even further away, I suspect, is our guest today, Charl van der Walt. Charl, did I say your surname correctly?
So Carole, you're all the way, you're far, far away in Canada, but even further away, I suspect, is our guest today, Charl van der Walt. Charl, did I say your surname correctly?
First of all, Graham, I think you said it as correctly as you're ever going to say it.
So let's go with that and explain to people where you are and who you are.
Maybe say your name correctly first so that people can actually know what it is.
So I'm Charl van der Walt.
Van der Walt. Okay.
Van der Walt. And I am in Cape Town, South Africa, where I work for a pen testing company called SensePost.
And is it very hot there?
It's winter here, so it's not very hot. We're struggling with a blizzardy 16 degrees or something.
Oh, how hellish that must be. 16 degrees Celsius. Oh, so chilly that one, isn't it?
You know what they say about the snows in Africa.
Don't start that again. Now, now we met, didn't we? I was down in Johannesburg giving a talk and you were there as well. And a splendid time was had by all.
By all, yes, we did.
Yeah, it was a good old conference. And that's why we've missed it.
Well, you weren't invited, Carole.
Oh, nice. Nice.
Sorry.
Thanks.
No.
Carole, to make up for it, what's coming up on the show this week?
Well, first, let's high-five this week's sponsors, LastPass and Recorded Future. Their support helps us give you this show for free.
On today's show, Graham looks into Zoom video conferencing software. Charl talks vulnerabilities, Iran, and US cyber command. Heavy stuff. And I visit the world of deepfakes.
On today's show, Graham looks into Zoom video conferencing software. Charl talks vulnerabilities, Iran, and US cyber command. Heavy stuff. And I visit the world of deepfakes.
Ooh.
All this and boatloads more coming up on this episode of Smashing Security.
It's been 6 years, 6 years since we quit our jobs at that cybersecurity firm.
6 years, 1 month, actually.
Is it? Okay. It's been, it's been quite a while, hasn't it? And there are, there's a few things I miss. I don't know about you. There's a few things I miss.
The loo without any seat covers?
No, no, no, not that. Not the messages about not dropping jam on the carpet tiles or anything like that. No, no.
Yeah.
There's a few things I miss, but there's also quite a lot which I don't miss. And up high on that list of working in corporate life is meetings. Boy, I don't miss those one bit.
Especially the meetings when you weren't actually required to be there, but somehow you had to be there.
Let's be honest, I really wasn't needed at any of those meetings. Having me at any of those meetings was a disadvantage to everyone else in the meeting.
It was just a waste of time for me and a waste of—
It was just a waste of time for me and a waste of—
Hey, hey, don't put yourself down so much.
No, because, you know, there's really nothing worse than getting lots of people in a room to discuss something.
In fact, there's only one thing worse than getting lots of people in a room to discuss something, and that's getting lots of people who aren't in the room to discuss something as well by teleconferencing.
Do you remember some of the teleconference calls we were on?
In fact, there's only one thing worse than getting lots of people in a room to discuss something, and that's getting lots of people who aren't in the room to discuss something as well by teleconferencing.
Do you remember some of the teleconference calls we were on?
Hello, Australia!
Can you hear me over there?
Hello?
Hello?
Are you listening?
Can you hear me? Hello?
It was like trying to collect the votes at Eurovision as we would dial around the world and people wouldn't have the right number or people would drop off the call, just shouting at each other.
It's like really a megaphone would have been better.
It's like really a megaphone would have been better.
I had to go into the office once at 5:00 AM to do one of those.
Horrendous. Well, how could anything be worse? Well, I'll tell you how. By adding video onto a teleconference call. Oh boy, oh boy.
Because then you can't even disguise how bored you are.
So when you've been on the call for eight hours, and sometimes the calls do last that long, you know, you're rolling your eyes.
Everyone in the Singapore office can see that you're actually playing solitaire or not really paying attention or doing your receipts.
Because then you can't even disguise how bored you are.
So when you've been on the call for eight hours, and sometimes the calls do last that long, you know, you're rolling your eyes.
Everyone in the Singapore office can see that you're actually playing solitaire or not really paying attention or doing your receipts.
You know, the trick is just to be really, really quiet, right? Because then the camera doesn't actually focus on you.
Most of these new video conferencing tools highlight whoever's making noise.
Most of these new video conferencing tools highlight whoever's making noise.
Oh, yes.
STFU, Graham. STFU.
There is one advantage, Graham, to be fair.
Yes?
To video conferences. You don't have to wear trousers.
Well, I don't know what you do down there in Cape Town, Charl, but in England, we tend to wear trousers in the office. We tend not to—
But not on a video conference. I mean—
It's bad enough getting jam on the carpet tiles, let alone getting something else on the seat covers. So we tend to—
Oh yeah, I had to go there. Yeah, you went there.
Now, I'm not a big fan of video conferencing, and despite now running my own business, I haven't been able to completely cut it out of my life.
I do cover my webcam at all times, and if someone says, "Oh, can you turn your webcam on?" It's like, well, if you don't need to see me, if this isn't actually being recorded for a webinar or something, I'm— no, I can't.
I do cover my webcam at all times, and if someone says, "Oh, can you turn your webcam on?" It's like, well, if you don't need to see me, if this isn't actually being recorded for a webinar or something, I'm— no, I can't.
Just for the record, I am perfectly happy not seeing you.
Yeah, exactly. It's for everybody, really. No one wants to see me. Win-win.
Yeah.
But of course, because I'm dealing with different clients and things, they all want me to sign into their particular video conferencing app, the one they've chosen for their business, which could be Skype or Zoom or GoToMeeting or Google Hangouts or Join.me.
It's a pain in the butt because you have to install stuff and then you have got 4 or 5 different video apps on your computer that you don't want. Yeah, I've been there.
And you only need them infrequently, but they're there.
And normally you only realise with about 90 seconds before the call begins, or maybe 2 minutes after it was supposed to begin.
There's not a phone number for you to ring, but you have to go in through a particular app.
And normally you only realise with about 90 seconds before the call begins, or maybe 2 minutes after it was supposed to begin.
There's not a phone number for you to ring, but you have to go in through a particular app.
You have to download it.
Yeah, you have to download it and then you—
Okay, so you're going to complain about first world problems. Okay, good, carry on.
So that's the whole show, Carole. So I'm going to actually talk about one of these today, which is Zoom, and specifically the Mac.
I've used Zoom.
Yes, well, it's very popular. Have you used Zoom as well, Charl?
Zoom, Zoom, Zoom. Yes, we use Zoom as our corporate choice. That's what we use, we have it installed in all the boardrooms and on all the computers.
How interesting. Do you have any Macs in your office at all, may I ask?
Graham, I'm not sure I should tell you. No, I think I may be incriminating myself if I do. We may or may not have some Macs in this office.
The issue today is specifically with the Mac version of Zoom. It's a very popular video conference app, not just Charl using it at SensePost down in Cape Town.
Otherwise I wouldn't have anyone to talk to.
You know what, I think, yeah, I have actually been asked to install it by a leading security, IT security firm.
No, really? Yeah, don't do it.
I know this was a long time ago, but that's how it ended up on my system. Yeah.
Well, you wouldn't be alone because around about 3/4 of a million businesses around the world are using this app. It's one of the leading video conferencing apps.
Including us.
Including us, including us.
Now, this week, a security researcher has uncovered and released details of a vulnerability that can allow any web page to open up a video call with a Mac user who's already installed Zoom without asking permission.
In other words, if you go to a dodgy web page, your webcam can be hijacked into a Zoom video conference and people could spy on you without you realising.
Now, this week, a security researcher has uncovered and released details of a vulnerability that can allow any web page to open up a video call with a Mac user who's already installed Zoom without asking permission.
In other words, if you go to a dodgy web page, your webcam can be hijacked into a Zoom video conference and people could spy on you without you realising.
It's time to liquid paper those cameras, isn't it?
It is. I have some naughty plasters we could use. Do you call them plasters?
What do you call them?
Yeah, yeah, naughty band-aids.
Now, when I first saw this headline, Zoom, and I thought, oh crumbs, you know, I've probably installed that at some stage.
I'll have to uninstall it because I don't use it regularly, but sometimes with some clients.
Now you might think that taking that nuclear option of uninstalling Zoom, you know, dragging it into your trash can on your Mac means that you're no longer at risk of having someone unexpectedly spying on you.
But I'm afraid piff, paff, poof, that is not true, that is piffle, because Zoom has a little trick.
I'll have to uninstall it because I don't use it regularly, but sometimes with some clients.
Now you might think that taking that nuclear option of uninstalling Zoom, you know, dragging it into your trash can on your Mac means that you're no longer at risk of having someone unexpectedly spying on you.
But I'm afraid piff, paff, poof, that is not true, that is piffle, because Zoom has a little trick.
So wait, let me just back up for a second. This is the legitimate Zoom app, this is not a fake Zoom app or anything like that.
Yeah, it's a slick little app which you have on your Mac and you can, like any other Mac application, go into the Applications folder and drag it into the trash can and it should be deleted and uninstalled.
It's a fairly easy sort of process, but it doesn't actually get rid of everything which it installed because it turns out Zoom, when you first install it, also installs a little bit of web server code onto your Mac.
It's a fairly easy sort of process, but it doesn't actually get rid of everything which it installed because it turns out Zoom, when you first install it, also installs a little bit of web server code onto your Mac.
Potentially unwanted software.
Yeah, well, exactly. Potentially unwanted application, you know, because after you uninstall Zoom, that piece of code is still there. And do you know what it does?
Tell us.
If someone sends you a Zoom meeting link, if you get one in your email or something like that and you click on it, when you click on it to join that meeting later, having uninstalled Zoom, that bit of web server code gets activated and in the background and very, very quickly, it will reinstall Zoom onto your computer without asking your permission and bam, Zoom is there again.
And it has probably all your old settings as well.
It's all set up.
Yeah.
And so I did this this morning. I uninstalled Zoom.
Yeah.
Because I was reading about this and I clicked on a Zoom link and in literally the blink of an eye, the entire app was reinstalled.
And it's not cool.
I even tried to get a screenshot of it as it was doing it and it was too fast for me to do it.
Well, you are at a certain age now.
I am. I am a bit slow.
So no user interaction required, Graham. It just reinstalls seamlessly in the background.
That's right. Just by clicking on the link.
You could try it right now, Charl, on your computer.
Well, that would be confessing that I run a Mac, wouldn't it? And I can't do that.
Nice try. Nice try, Charl. Nice try.
So I think that's first of all pretty darn rude, you know, installing software without my permission, you know, and I expect software to behave nicely.
If I've uninstalled it, I expect it to be properly uninstalled.
So I think that's first of all pretty darn rude, you know, installing software without my permission, you know, and I expect software to behave nicely.
If I've uninstalled it, I expect it to be properly uninstalled.
We probably wouldn't have a show if they all did that though.
No, that's right. Thank heavens for rude misbehaving software. Otherwise, where would our entire careers be?
We'd probably be still working in a corporation.
Right. Well, that corporation probably wouldn't exist, would it?
Probably.
So, yeah. So I think we should all have control over which apps get installed on our computer.
100%.
I think most Mac users would expect that that thing had been uninstalled.
Not just Mac users, all freaking computer users should be able to expect that.
Yeah, totally. See, I don't mind the idea that if I click on a Zoom meeting link, I don't mind if it then pops up and says, oh, you don't have Zoom installed.
Would you like to install it? That would be kind of acceptable to me, I think. I don't have a problem with that because then I could say, no, I don't want that ruddy software.
I'll go into the web version of Zoom instead of actually installing an app.
Would you like to install it? That would be kind of acceptable to me, I think. I don't have a problem with that because then I could say, no, I don't want that ruddy software.
I'll go into the web version of Zoom instead of actually installing an app.
Yeah, because they have a web version, don't they?
Yes.
I think there is a web-based version, although I was looking at their support knowledge base and it sounded like almost it's up to the host of the call to decide whether it also sends you a link to the web version of the meeting rather than using the app, which seems rather—
I think there is a web-based version, although I was looking at their support knowledge base and it sounded like almost it's up to the host of the call to decide whether it also sends you a link to the web version of the meeting rather than using the app, which seems rather—
That makes sense though, because you wouldn't want to confuse people by sending multiple links potentially.
But basically we're saying, I can say as a consultant, I want the web version of everything. I do not want to install apps.
But basically we're saying, I can say as a consultant, I want the web version of everything. I do not want to install apps.
There's some other weird things that that researcher points out.
For example, that the host can dictate that when you join the meeting, your mic and camera are immediately activated.
That's one of the features he's abusing, but it's a feature of the app.
For example, that the host can dictate that when you join the meeting, your mic and camera are immediately activated.
That's one of the features he's abusing, but it's a feature of the app.
This is extraordinary. It's worth underlining.
So with Zoom, by default, the meeting host has the ability to decide whether participants' video is turned on automatically when they join the meeting.
And again, let's talk about your trousers situation, Charles. Potentially, that's disastrous, right?
If you dropped your pen or your notes on the floor just as you were clicking on the link, and then you're off. We'd never go back.
So with Zoom, by default, the meeting host has the ability to decide whether participants' video is turned on automatically when they join the meeting.
And again, let's talk about your trousers situation, Charles. Potentially, that's disastrous, right?
If you dropped your pen or your notes on the floor just as you were clicking on the link, and then you're off. We'd never go back.
We would never go back.
I mean, I know you're not a hirsute chap. I mean, you've got a beard, don't you? But you're, how can I put it? You're sort of focally challenged on the top of your head.
A little.
I have no idea what's going on on your bottom. But that could be broadcast to everyone else on the video conference call.
Again, Band-Aids are the solution to this.
Sounding more and more like it.
Not your butt, your cryptocurrency.
Yes, exactly. Yes, yes, yes. Careful which hole you cover up. Yeah, it could lead to problems, but yeah.
So, okay, so the researcher pointed this out and he said, look, this isn't good because basically, because this all can be done with just a link, potentially a bad guy could booby trap a webpage to initiate the link or trick people into clicking on it, or maybe even use malvertising to open up video conferencing stream with someone.
And the researcher reported that to Zoom. And Zoom's response was a little bit snidey, I thought. It felt a little bit like— What did they say?
Well, they didn't really acknowledge it.
They said, well, look, the reason why we've implemented our software in this way is because it's a legitimate solution to poor user experience problem.
In other words, they're saying we've saved you a click. And we want our users to have faster one-click-to-join meetings rather than have to confirm that they really want to do it.
And I think, well, come on.
So, okay, so the researcher pointed this out and he said, look, this isn't good because basically, because this all can be done with just a link, potentially a bad guy could booby trap a webpage to initiate the link or trick people into clicking on it, or maybe even use malvertising to open up video conferencing stream with someone.
And the researcher reported that to Zoom. And Zoom's response was a little bit snidey, I thought. It felt a little bit like— What did they say?
Well, they didn't really acknowledge it.
They said, well, look, the reason why we've implemented our software in this way is because it's a legitimate solution to poor user experience problem.
In other words, they're saying we've saved you a click. And we want our users to have faster one-click-to-join meetings rather than have to confirm that they really want to do it.
And I think, well, come on.
I know, but I get, I agree with you.
I agree, obviously, 'cause I, you know, but I can understand that there are many times when a service provider has to make a call of how many features to add to improve a service and may not, you know, and this is why baked-in security is so important.
You need to have a security expert in those meetings.
Sorry, Graham, I know we won't call on you, but we need people in those meetings from the get-go to think, hey guys, whoa, whoa, that may not be all that secure.
I agree, obviously, 'cause I, you know, but I can understand that there are many times when a service provider has to make a call of how many features to add to improve a service and may not, you know, and this is why baked-in security is so important.
You need to have a security expert in those meetings.
Sorry, Graham, I know we won't call on you, but we need people in those meetings from the get-go to think, hey guys, whoa, whoa, that may not be all that secure.
But in a video conferencing system where it's possible for the host to determine if your microphone and your video is enabled instantly, then that seems really rough that that person doesn't have a choice.
I agree. They don't have the ability to.
I agree. They don't have the ability to.
But I also, you know as well as I do that when we do these things, sometimes people can't find the right mics or the right headphones or et cetera.
And, you know, maybe they don't know how to turn it on. And, you know, sometimes you can grease the wheels. I'm just saying there's two sides to every coin. Two sides.
And, you know, maybe they don't know how to turn it on. And, you know, sometimes you can grease the wheels. I'm just saying there's two sides to every coin. Two sides.
Well, it seems to me like the approach of running a web server locally on a machine and the kind of website hack that they use to create this feature, it just seems really hacky.
It seems like a strange workaround. And we all know how this goes.
I think you've got a feature set like that and one vulnerability gets discovered, I think we can expect there'll be more. We're going to see more of this.
It seems like a strange workaround. And we all know how this goes.
I think you've got a feature set like that and one vulnerability gets discovered, I think we can expect there'll be more. We're going to see more of this.
You guys are going to be all over it now.
Yeah.
Okay. So we need to tell people how to get Zoom off their computers and also how to get this nasty little hidden bit of Zoom off their computers too.
So there are links in the show notes where we've linked to the researcher's blog article where he gives the technical instructions.
Unfortunately, it isn't as easy, like I said, as just dragging the Zoom app into your trash can. You do have to use some terminal commands. That's like going to the command line.
In order to do this properly. Zoom has said that it is changing its software. It said it already said, well, look, we've dealt with one of your complaints. Okay.
So what we're doing is we've released a quick fix, which disables the meeting creator's ability to automatically enable participants' video by default.
And you think, well, that's good that they've done that, right? Unfortunately, a couple of days later, that vulnerability sort of crept back into the software.
So they'd fixed it and then the fix fell off.
Unfortunately, it isn't as easy, like I said, as just dragging the Zoom app into your trash can. You do have to use some terminal commands. That's like going to the command line.
In order to do this properly. Zoom has said that it is changing its software. It said it already said, well, look, we've dealt with one of your complaints. Okay.
So what we're doing is we've released a quick fix, which disables the meeting creator's ability to automatically enable participants' video by default.
And you think, well, that's good that they've done that, right? Unfortunately, a couple of days later, that vulnerability sort of crept back into the software.
So they'd fixed it and then the fix fell off.
Because they did a rollback or something.
Who knows? But somehow or other that fix is no longer present. They've also said they're going to make some other changes as well.
They're muppets. They're muppets.
So I guess we're going to have to find out how to do this in browser rather than installing the app, aren't we?
Yeah, exactly.
Yeah.
I mean, you know, the porn industry proves that you don't need an app to sell a service, right? So I think, no, let's go back to the web. I'm a big fan of that.
No installation, visit a webpage, do what you need to do, and then get out of Dodge.
No installation, visit a webpage, do what you need to do, and then get out of Dodge.
Do you take a lot of advice from the porn industry, Carole?
Well, there's lots to be learned there.
Oh yeah. Yeah, Satan's school for girls. That's how I've decided to live my life. Interesting.
I'm very happily married. That's all I gotta say.
These days, it's not really relevant, Carole. Charl, what's your story for us this week?
My story is about Twitter, but not the kind of Twitter where that's all YOLO and selfies.
This is the Twitter account of US Cyber Command, who we know is the cyber warfare branch of the US military, who've sort of been growing in prominence and getting louder and louder over the last few years.
This is the Twitter account of US Cyber Command, who we know is the cyber warfare branch of the US military, who've sort of been growing in prominence and getting louder and louder over the last few years.
And they don't tweet out selfies of themselves, is what you're saying? They don't seem to.
I think that they're more on Instagram for that.
Right, okay.
And this is their official Twitter page?
This is their official Twitter page. Well, an official Twitter page called US Cyber Command Malware Alerts.
And they post out warnings about things that are happening that they're aware of that they think kind of civilian space should know about.
And on the 2nd of July, so just a few days back, they tweeted out about this Microsoft vulnerability affecting Microsoft Outlook, which is the email application that Windows users use, that's being exploited in the wild.
But what we can read between the lines and what a number of analysts picked up on is that what they're referring to is a campaign linked to a threat actor group which is believed to be Iranian state-backed hackers called APT33, are exploiting this Microsoft Outlook vulnerability in the wild, and Cyber Command wants us to know about it because it's a big deal.
And they post out warnings about things that are happening that they're aware of that they think kind of civilian space should know about.
And on the 2nd of July, so just a few days back, they tweeted out about this Microsoft vulnerability affecting Microsoft Outlook, which is the email application that Windows users use, that's being exploited in the wild.
But what we can read between the lines and what a number of analysts picked up on is that what they're referring to is a campaign linked to a threat actor group which is believed to be Iranian state-backed hackers called APT33, are exploiting this Microsoft Outlook vulnerability in the wild, and Cyber Command wants us to know about it because it's a big deal.
So basically we've got Iranian government-backed hackers who are attacking other countries and maybe breaking into the systems of industries based overseas, using Outlook, up to all kinds of mischief.
And so you've got US Cyber Command, who obviously— there's a little bit of tension at the moment, isn't there, between America and Iran, is something I picked up on.
And so you've got US Cyber Command, who obviously— there's a little bit of tension at the moment, isn't there, between America and Iran, is something I picked up on.
Yes, very astute, Graham.
I try and keep my finger on the pulse.
So they are alerting organizations, watch out, because people are using this particular Microsoft vulnerability and we think it's Iran who's up to it.
So they are alerting organizations, watch out, because people are using this particular Microsoft vulnerability and we think it's Iran who's up to it.
Exactly.
And to summarize that sort of in a nutshell, the Forbes article that ran around this tweet, the headline for that article reads, US military warns Outlook users to update immediately over hack linked to Iran.
So your finger is very much on the pulse, Graham. You summarized that perfectly.
And to summarize that sort of in a nutshell, the Forbes article that ran around this tweet, the headline for that article reads, US military warns Outlook users to update immediately over hack linked to Iran.
So your finger is very much on the pulse, Graham. You summarized that perfectly.
Thank you.
So I'm reading into this article and it turns out that the vulnerability is being exploited using a hacking tool called Ruler, the thing that you measure distances with.
And this tool, as it happens, was developed back in 2017 by my team. So my team—
And this tool, as it happens, was developed back in 2017 by my team. So my team—
Oh, wow.
Hang on a moment.
So there are Iranian government-backed hackers who are trying to break into American systems and effectively, the tool which they are using, the weapon which they are using, was written by you and your buddies.
So there are Iranian government-backed hackers who are trying to break into American systems and effectively, the tool which they are using, the weapon which they are using, was written by you and your buddies.
Thanks, Charl. Thanks so much.
In South Africa. Yeah, there you have it. This might be my greatest achievement, you know.
And this story kind of rattled me because I thought, good, you know, look, we do this, right? And pen testing companies do this routinely. It's how we demonstrate capability.
It's how we attract people to come and work for us. It's how we warn the industry and our customers. It's how we demonstrate that threats are real.
And, you know, arguably this, that kind of disclosure of vulnerabilities and exploits is a very powerful tool in moving the industry forward.
And I spoke to a lot of people off the back of this and asked them how they felt about it, people from my team, and they all kind of stood by this decision to publish the exploit at the time.
And they all believed strongly it was the right thing to do.
And this story kind of rattled me because I thought, good, you know, look, we do this, right? And pen testing companies do this routinely. It's how we demonstrate capability.
It's how we attract people to come and work for us. It's how we warn the industry and our customers. It's how we demonstrate that threats are real.
And, you know, arguably this, that kind of disclosure of vulnerabilities and exploits is a very powerful tool in moving the industry forward.
And I spoke to a lot of people off the back of this and asked them how they felt about it, people from my team, and they all kind of stood by this decision to publish the exploit at the time.
And they all believed strongly it was the right thing to do.
You basically released this tool and this information in order to get the problem fixed because you found the problem and thought there might be a way of exploiting this.
Let's build a little tool which does it. It's not as though you guys were using it maliciously yourselves.
Let's build a little tool which does it. It's not as though you guys were using it maliciously yourselves.
But they did build the weapon that was used, so to speak.
We weaponized the vulnerability, yeah, that's true. And we use that toolkit extensively in our work.
For good, yeah.
For good. And the vulnerability wasn't actually disclosed by us. The vulnerability was disclosed by a crowd called Silent Circle Security sometime before we wrote the tool.
So the knowledge of the vulnerability was out there. We just kind of shrink-wrapped it and demonstrated how it could be used in a weaponized way.
So the knowledge of the vulnerability was out there. We just kind of shrink-wrapped it and demonstrated how it could be used in a weaponized way.
And I guess the normal way in which you actually use that in the course of your work is, would you be doing something like testing the defenses of a company who's asked you to see if they are vulnerable, and this tool would be one of the methods which you use, for instance?
Exactly. That's exactly how it would work.
And it's very effective, and it demonstrates a very real contemporary threat, which can incidentally be exploited in a lot of other ways too, because the tool requires two things.
It requires this outdated version of Outlook, but it also requires us to have valid credentials for that user, valid Microsoft credentials for that user.
So we're demonstrating not just that bug, we're demonstrating a whole class of bugs linked to weak passwords or password reuse.
And it's very effective, and it demonstrates a very real contemporary threat, which can incidentally be exploited in a lot of other ways too, because the tool requires two things.
It requires this outdated version of Outlook, but it also requires us to have valid credentials for that user, valid Microsoft credentials for that user.
So we're demonstrating not just that bug, we're demonstrating a whole class of bugs linked to weak passwords or password reuse.
So once you exploit this vulnerability, what can you then do with it? What's the risk to the person who's been targeted in this case?
Obviously Iran is targeting organizations in America and maybe elsewhere around the world. What could they do with it?
Obviously Iran is targeting organizations in America and maybe elsewhere around the world. What could they do with it?
So when this vulnerability triggers, we effectively have persistent remote command and control over that user's machine with their privileges.
So it's kind of as if we're sitting on the user's machine at their terminal, at that command interface and typing commands.
And anything that user could do we could do, too, but remotely.
And from there, once we have that control as one user, then we exploit all those privilege escalation, lateral movement techniques that you hear people talk about.
And our testers would argue that once we have that initial entry point into the network, to get from there to domain administrator is a matter of days, maybe, probably hours.
Never weeks. It's that quick and easy to go from that initial foothold to having full control of the domain for most environments.
So it's kind of as if we're sitting on the user's machine at their terminal, at that command interface and typing commands.
And anything that user could do we could do, too, but remotely.
And from there, once we have that control as one user, then we exploit all those privilege escalation, lateral movement techniques that you hear people talk about.
And our testers would argue that once we have that initial entry point into the network, to get from there to domain administrator is a matter of days, maybe, probably hours.
Never weeks. It's that quick and easy to go from that initial foothold to having full control of the domain for most environments.
So the good news is Microsoft has patched this vulnerability in Microsoft Outlook, and they did it, they did it a while back, didn't they?
Yeah, they made a patch available, and of course more recent versions of the software simply don't have those features anymore.
That particular feature is now gone from the software.
That particular feature is now gone from the software.
Defunct, okay.
Yeah.
But clearly the selfie-taking guys at US Cyber Command are still concerned that there's gonna be some organizations out there who haven't properly patched and are still vulnerable to, I'm afraid to say this again, Charl, but against your weapon.
But clearly the selfie-taking guys at US Cyber Command are still concerned that there's gonna be some organizations out there who haven't properly patched and are still vulnerable to, I'm afraid to say this again, Charl, but against your weapon.
Against our weapon, VPN. Yeah.
It's a really complicated situation for you guys, actually. I feel for you.
It is a complicated situation. And there was a time where this trade-off between keeping a vulnerability to yourself or exposing it was, it seemed simpler to think through.
But now in a world where nations and armies are using these kinds of tools effectively in kind of low-level cyber wars, the equation becomes much more complicated, I think.
But now in a world where nations and armies are using these kinds of tools effectively in kind of low-level cyber wars, the equation becomes much more complicated, I think.
But come on, come on, come on. When you read this, right?
When your team heard about this, did you kind of think, well, this is actually the, this is kind of the best endorsement we've ever had because we wrote this thing a while ago, but I think he pooped his pants a little bit.
Carole, we have to keep on coming back to that.
When your team heard about this, did you kind of think, well, this is actually the, this is kind of the best endorsement we've ever had because we wrote this thing a while ago, but I think he pooped his pants a little bit.
Carole, we have to keep on coming back to that.
I'd like to avoid using the word poop in public.
Carole, what's your story for us this week?
So my story this week, Graham, would you just read the following paragraph, please?
Okay, hang on.
It's in the document there.
You've got something in front of you.
You read it rather than me. You just read that.
You want me to read it? Oh, do I work for you? Why not? Okay. Wonderful Carole. Okay.
You are not only a great trusted friend who is much, much funnier than me, but also the best co-host in the world. You're the only co-host I've got.
Really, you are much funnier than me, and I learn so much from you.
You are not only a great trusted friend who is much, much funnier than me, but also the best co-host in the world. You're the only co-host I've got.
Really, you are much funnier than me, and I learn so much from you.
Just wanted you to hear it directly from me. Okay, no offense, but is that the best you can do?
Wonderful, Carole. You are not a great—
You know what?
Forget it. I'm just going to deepfake it.
It's probably much easier and it'd probably be much more believable and it'll lose that sarky tone that you brought in with your little comment there.
So deepfakes, that's what we're talking about. The reason for the story is I fear we're going to see a lot more of them and there's not a lot we can do about it.
It's probably much easier and it'd probably be much more believable and it'll lose that sarky tone that you brought in with your little comment there.
So deepfakes, that's what we're talking about. The reason for the story is I fear we're going to see a lot more of them and there's not a lot we can do about it.
Well, there's a lot of talk about it, isn't there?
All things internet, though, clearly deepfakes can be used for fun, right? Or to make a valid point.
But they can also be used for the more nefarious purposes, all that horror show of propaganda, disinformation, reputation destroying and all that.
But they can also be used for the more nefarious purposes, all that horror show of propaganda, disinformation, reputation destroying and all that.
Yeah.
So basically, for those that don't have a full grasp on deepfake, it basically takes existing footage, real footage of a person, and doctors the face, body, words, or clothing.
So it's being used to target celebrities, politicians, and other high-profile people. And this deepfake tech is getting slicker.
I need you all to appreciate that it could be pretty darn convincing. I have put a link in the show notes there. You guys can go see it of a video.
So it's being used to target celebrities, politicians, and other high-profile people. And this deepfake tech is getting slicker.
I need you all to appreciate that it could be pretty darn convincing. I have put a link in the show notes there. You guys can go see it of a video.
Hang on. Oh, for goodness. Oh, bloody Rik Astley.
It's a live Donald Trump, just more aged. I just had to Rickroll him. It was time.
Every couple of months she does that.
Okay, no, here's the real link. Here's the real link. So this is Steve Buscemi as Jennifer Lawrence mashed up into a kind of deepfake.
I've been taught not to click on— Oh my goodness. Yeah.
I'm looking at a video of, well, it's Jennifer Lawrence's lovely body. But she has the face of Steve Buscemi, which I have to say is slightly alarming.
But I don't think this would fool me into thinking it's really Jennifer Lawrence, Carole. It's not the most convincing.
But I don't think this would fool me into thinking it's really Jennifer Lawrence, Carole. It's not the most convincing.
Exactly.
Exactly. You see, in this case, this mashup isn't set to dupe us, right? We're kind of, as the viewers, we're in on the joke.
We know it's Jennifer Lawrence and Steve Buscemi being mashed up together.
We know it's Jennifer Lawrence and Steve Buscemi being mashed up together.
Right, right.
But there are many deepfakes out there that are designed to bully people or mislead us humans.
And the worry is the tech is getting much, much better at it and people are figuring out much more nefarious ways to work with it.
So just last week there was this Windows app that came on the market called DeepNude.
And the worry is the tech is getting much, much better at it and people are figuring out much more nefarious ways to work with it.
So just last week there was this Windows app that came on the market called DeepNude.
Oh, that was horrendous, wasn't it?
Right. And it cost something like $50.
Exactly. It was so expensive. It was horrendous how much one had to pay to get hold of it. Yes.
Yeah.
And you know what? It was taken down very soon after it was made public, thanks largely to the tech press led by Motherboard for vilifying it for its gross raison d'être, right?
And get this, this is how it happened.
You would load up a picture of a clothed woman, is the idea, and using its so-called AI, the woman would be transformed from a clothed woman to a nudie fake version.
Basically all her clothes are stripped off. And the first thing I wondered when I saw the story is why they keep talking about women. Surely you— what happens if you load up a man?
And what happens is you still get a fake female bit, a female growler, instead of the meat and two veg.
And get this, this is how it happened.
You would load up a picture of a clothed woman, is the idea, and using its so-called AI, the woman would be transformed from a clothed woman to a nudie fake version.
Basically all her clothes are stripped off. And the first thing I wondered when I saw the story is why they keep talking about women. Surely you— what happens if you load up a man?
And what happens is you still get a fake female bit, a female growler, instead of the meat and two veg.
Oh, right. So if you use this against me, you would see my naked— my face, but I'd have breasts and things.
You'd have boobies and a little—
Yeah.
Which I don't have in real life.
Moobies, Graham. I heard on a previous show that you have boobies. I heard it at the source.
Or mitts. Mitties is another great one.
Mitties? What are mitties?
Man tits.
It's all for good music.
Carole, not to diminish how gross this idea is, I do see a legitimate business application.
Okay, shoot.
When used in conjunction with the right kind of video conferencing application, it could be used to remove your trousers if you happen to accidentally be wearing some.
Or we could reverse engineer it and add trousers on you. So you could be sitting there right nude but actually look fully dressed in your sports slacks and blue button-down.
That's why you're the host of the show and I'm only a guest.
I am reinstalling Zoom right now. It's going back on my system.
But the point is, the point is this app DeepNude, it's very easy to see how people could be bullied by it.
My goodness.
Yes, it was.
It's an awful— And the other thing that happened just this week was Symantec has just reported that it sees what it believes to be deepfaked audio of CEOs being used by phishers to trick basically the company financial controller into transferring cash over to the fake CEO.
It's an awful— And the other thing that happened just this week was Symantec has just reported that it sees what it believes to be deepfaked audio of CEOs being used by phishers to trick basically the company financial controller into transferring cash over to the fake CEO.
So that's interesting.
So these are these business email compromises where someone— there's a variety of ways you can do it, but you could ring up pretending to be the CEO and go, "Okay, you know, I'm ringing up from head office in Glasgow." It's exactly like a voice phish, right?
"Move £1,000 into this bank account." And because they've grabbed the audio from earnings calls—
So these are these business email compromises where someone— there's a variety of ways you can do it, but you could ring up pretending to be the CEO and go, "Okay, you know, I'm ringing up from head office in Glasgow." It's exactly like a voice phish, right?
"Move £1,000 into this bank account." And because they've grabbed the audio from earnings calls—
The real CEO.
Yeah. It would sound like the real— Gosh, that's very devious, isn't it?
If they combined that with background noises of an office and things, then it would maybe even seem more convincing.
If they combined that with background noises of an office and things, then it would maybe even seem more convincing.
Golf clubs, right? If it's the CEO, you want to go ping!
The golf cart, the golf cart.
It's similar to the Smashing Security story Jessica Barker did on our show on episode 134, where she was talking about how scammers used bad lighting and a 3D-printed mask to dupe millions in France to give out money to help the government.
Anyway, it was a great story. Go listen to it. Episode 134.
It's similar to the Smashing Security story Jessica Barker did on our show on episode 134, where she was talking about how scammers used bad lighting and a 3D-printed mask to dupe millions in France to give out money to help the government.
Anyway, it was a great story. Go listen to it. Episode 134.
You know what that's called, Carole?
What's that called?
Bad light and cheaply printed 3D masks. That's not deepfake. That's cheapfake.
Great.
I didn't even invent it. That's what it's called.
Kaboom.
I didn't know that. Cheapfakes. Cheapfakes refers to like if they're just slowing a video down, for example, to make someone look drunk or just cutting a part out of a video.
You know, there's no real machine learning or AI. It's just really cheap and dirty hacking with media.
You know, there's no real machine learning or AI. It's just really cheap and dirty hacking with media.
Right. So they did that to Nancy Pelosi, right? So we call that a cheap fake as opposed to a deepfake. That would be a cheap fake. Yeah. Okay. Today I learned.
Yep.
I saw a demo by Adobe of a piece of software they were planning to release that would take a voice recording of someone delivering a speech or in a meeting.
I think they said they needed, maybe it was 20, maybe it was 40 minutes of text. So it's a fairly significant amount.
And then while a person was speaking, they could transcribe voice to text in real time. So, you could see the words. It would appear on your console.
And then you could change words in that text and it would play it back in that person's voice, even if you used words that weren't in the original recording.
You could literally, in real time, on a Windows GUI app, change what somebody said.
I think they said they needed, maybe it was 20, maybe it was 40 minutes of text. So it's a fairly significant amount.
And then while a person was speaking, they could transcribe voice to text in real time. So, you could see the words. It would appear on your console.
And then you could change words in that text and it would play it back in that person's voice, even if you used words that weren't in the original recording.
You could literally, in real time, on a Windows GUI app, change what somebody said.
I saw that. So, it needs about a few hours of video, apparently. That seems to be the consensus from my research this morning, right? And you need about a few hours.
Sometimes I've seen 40 minutes, but you need about a few hours to make a really good deepfake. And people are saying it is a lot of work.
So people aren't going to do this for no return, right? There's going to be a game plan.
Sometimes I've seen 40 minutes, but you need about a few hours to make a really good deepfake. And people are saying it is a lot of work.
So people aren't going to do this for no return, right? There's going to be a game plan.
So if I had some footage of Carole speaking, for instance, I could get her to convincingly say words whilst.
Whilst.
Without sort of gagging.
Surely she would say whilst anyway.
No, I know I would never.
Isn't that the correct?
Apparently she's got some sort of issue.
Isn't that the proper English?
No, yes, it is.
That's what I would have thought. You know?
Yes, exactly. Very wise. Excellent guest. Excellent guest.
I know what you all are wondering. How the heck do I handle this? How do I spot them?
And right now, you know, there's no reliable reverse engineering to a deepfake as yet that I'm aware of. So I was looking around to see what people recommended.
And I have to agree with Slate journalist Jane C. Hugh, because what she suggests seems to be the best for me.
Perhaps you don't want to get lured by deepfake, you need to get familiar about them, right?
So there's, for example, on Reddit there's a subreddit called Git Fakes, and there's a lot—
And right now, you know, there's no reliable reverse engineering to a deepfake as yet that I'm aware of. So I was looking around to see what people recommended.
And I have to agree with Slate journalist Jane C. Hugh, because what she suggests seems to be the best for me.
Perhaps you don't want to get lured by deepfake, you need to get familiar about them, right?
So there's, for example, on Reddit there's a subreddit called Git Fakes, and there's a lot—
Not Git Face, but Git Fakes.
Yep. And there's many, many hundreds of examples, right?
And you can look at those images and those videos and look at the lighting, look for fuzziness around the neck where it connects to the body, look at fuzziness around the mouth, face discoloration, and, you know, you need to teach your brain what to look for.
And that's basically how you train yourself for it.
And you can look at those images and those videos and look at the lighting, look for fuzziness around the neck where it connects to the body, look at fuzziness around the mouth, face discoloration, and, you know, you need to teach your brain what to look for.
And that's basically how you train yourself for it.
That is, you know, that is so hopeless.
Yes, because technology is going to get better and those lines are going to become imperceptible to the human eye.
We still haven't solved that problem for something as simple as phishing, right?
Whether these clear technical markers— and, you know, of course, also that your brain sees what it wants to see, right? It's cognitive dissonance.
You— people are going to believe it.
Whether these clear technical markers— and, you know, of course, also that your brain sees what it wants to see, right? It's cognitive dissonance.
You— people are going to believe it.
I think it's awful, right, Graham?
So maybe if you don't want me to create a deepfake of you saying nice things to me, maybe you in real life should say nice things to me more often.
So maybe if you don't want me to create a deepfake of you saying nice things to me, maybe you in real life should say nice things to me more often.
That would be one way to do it.
Maybe you could give me some reasons to say nice things.
Let me share one last weird thought that I had when I was preparing for this story.
So I'm doing this, right, and I'm thinking, you know, in a way, if the internet gets littered with deepfakes, we actually in a way get our privacy back because none of it's real.
So I'm doing this, right, and I'm thinking, you know, in a way, if the internet gets littered with deepfakes, we actually in a way get our privacy back because none of it's real.
You can deny everything.
Not real, you have no idea. Yeah, so everything's a lie or unprovable as a lie or truth. So we basically go back to square one on privacy fronts.
That's true.
Because, you know, an employer wouldn't be able to trust the deepfake to say, oh, you can't get a job because you photocopied your butt when you're 14 at your dad's office because it won't be online.
And I could claim that I was actually wearing trousers on that.
Exactly.
You did what in your dad's office?
I didn't.
I'm just—
All right, well, I've just heard you say it, haven't I? I can take that audio. Thank you very much.
That's a cheap fake, Graham. Cheap, cheap fake.
We are sponsored this week by our friends at LastPass. Now, Graham, isn't it something like 90% of security breaches involve a stolen password or a poor password?
Yes, stolen passwords, poorly chosen passwords, reused passwords, passwords are really sort of the hinge pin of so many security attacks which happen, which means that you probably want an enterprise password manager like the one offered by LastPass.
Listeners can learn all about LastPass Enterprise at lastpass.com/smashing.
You don't have to say forward slash, by the way, Kian, just say slash.
Just so you know.
If you're baffled by threat intelligence and how it might be able to help secure your company, The Threat Intelligence Handbook from Recorded Future is the book for you.
It'll tell you what threat intelligence is and what it isn't, and you'll learn how other firms are applying threat intelligence inside their organizations.
Grab it now for free at smashingsecurity.com/intelligence.
And welcome back, and you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.
It'll tell you what threat intelligence is and what it isn't, and you'll learn how other firms are applying threat intelligence inside their organizations.
Grab it now for free at smashingsecurity.com/intelligence.
And welcome back, and you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.
Pick of the Week. Sean?
What? Pick of the Week.
It's the one thing a guest has to do. It's the one thing we ask them to do.
Every time.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security related necessarily.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security related necessarily.
Better not be.
Well, I am going to go back in time once again for my Pick of the Week, but further back in time than normal. I'm going all the way back to 1868.
Oh, do you remember that time?
I don't remember that time. No, no. But there was a book published, a mechanical encyclopedia published by a chap called Henry T. Brown.
Have you heard of 507 Mechanical Movements, Mechanisms and Devices? Very, very— it's a classic.
Have you heard of 507 Mechanical Movements, Mechanisms and Devices? Very, very— it's a classic.
Are you trying to prove to the world that you're quite intelligent?
No, I'm trying to prove to the world I've been on Wikipedia.
I heard it here first, Graham. I heard it here first.
So this 507 Mechanical Movements, its subtitle is it embraces all those which are most important in dynamics, hydraulics, hydrostatics, pneumatics, steam engines, mill and other gear impressors, horology, and miscellaneous machinery.
Now I'm not recommending as my pick of the week the actual book, which is now in the public domain, you can check it out, but instead a website which has taken all these mechanical movements and has animated them.
Now I'm not recommending as my pick of the week the actual book, which is now in the public domain, you can check it out, but instead a website which has taken all these mechanical movements and has animated them.
So you don't have to read any words.
Cool. Which is my preference. So if you go to 507movements.com, you will see a number of these things. And go there and click on some of the ones which are in red there.
And you will see little animations of gears moving and pulleys going in reverse and—
And you will see little animations of gears moving and pulleys going in reverse and—
Yeah, it's kind of cool, Graham.
It is kind of cool. And levers moving. And there's 507 ways that they've documented in this ancient book.
I'm tweeting this to my nephew right now. I think he's going to be in heaven.
Graham, did you notice that some of these don't have the animations? Is that right? Or is it just my internet that's broken?
Not all of them have yet been animated, sadly, but a good few have.
This is fantastic.
I've seen about 1 out of 5 so far have been animated.
I think— well, I'm not sure if it's quite that bad. I think it's quite good, but it's rather lovely.
I'm going to use this to teach my 4-year-old. It's fantastic.
Exactly. Yeah.
And myself.
Exactly. And you can sound really knowledgeable by just reading the little script at the bottom. This is a screw propeller, son.
Obviously.
Seriously.
Or daughter.
It is worth looking through because it is, especially with the animations, you really get a sense for how these different things work. How ingenious it all is.
I find it wonderful that these things all have names. You know, have you ever had these conversations where you try and describe to someone that kind of mechanism?
You know, that thing that the engine where it pushes down those other things that go round that turn the gears that turn the wheel?
And actually all those things actually have names.
You know, that thing that the engine where it pushes down those other things that go round that turn the gears that turn the wheel?
And actually all those things actually have names.
Yep.
406 doesn't.
406 doesn't.
Nope.
I think Carole is just in a bad mood today.
I'm looking at a triangular eccentric at the moment. Given an intermittent reciprocating rectilinear motion. What? Apparently it was used in France for steam engines.
For the guillotine. Oh, for steam engines.
I have to say, I don't know if we're selling it very well on a podcast, but I do think it's a very good website, Graham.
I think people should check it out, particularly if you're into engineering or you have kids that like things that move around.
I think people should check it out, particularly if you're into engineering or you have kids that like things that move around.
Right.
Yeah. Right. 507movements.com. And that is my pick of the week.
Good pick, Graham.
Thank you very much. Charl, what is your pick of the week?
Well, before I give you my pick, Graham, I have a test for you. I need you to try and pronounce me the word that is spelt X-H-O-S-A. X-H-O-S-A.
X-H-O-R. Now, I've got a feeling— well, I'm sure I can't pronounce it correctly, but I think I know what language this is. And Carole, do you have any idea how you say this?
Because I think it's quite unusual, isn't it? It's not Frank. It's not ex-hoser. It's not chozer. But there's— isn't there some clicking or something? Isn't there like—
Because I think it's quite unusual, isn't it? It's not Frank. It's not ex-hoser. It's not chozer. But there's— isn't there some clicking or something? Isn't there like—
There's some clicking. Yeah.
Can you do it for us?
You know, I'm not very good. I learned this language at school, but, you know, my tongue is not accustomed to it, but I'm going to do my best. So the word is [click sound]. X-H-O-S-S.
Yeah, and it's [click sound]. It's the name Xhosa. No, Graham, no, no, no. And it's the name of a South African tribe and a language. We have 11 here. Yeah, and they have 3 clicks.
There's the X, which is [click sound], and the C, which is [click sound], and then the best one is the Q, which is [click sound]—
Yeah, and it's [click sound]. It's the name Xhosa. No, Graham, no, no, no. And it's the name of a South African tribe and a language. We have 11 here. Yeah, and they have 3 clicks.
There's the X, which is [click sound], and the C, which is [click sound], and then the best one is the Q, which is [click sound]—
Oh, I like that one.
Yeah, so for example, my son's nickname is [click sound], which means the light.
Anyway, the reason I mention it is because my pick of the week is a book by a South African author called Trevor Noah, who is unusual in South Africa because his mother was a Xhosa and his father was a Swiss German.
Anyway, the reason I mention it is because my pick of the week is a book by a South African author called Trevor Noah, who is unusual in South Africa because his mother was a Xhosa and his father was a Swiss German.
Is this Trevor Noah Trevor Noah?
Trevor Noah Trevor Noah.
The comedian?
The comedian, yes, who took over from Jon Stewart as host of The Daily Show. Yeah, so, so long before he was hosting The Daily Show, he was a stand-up here in South Africa.
Extremely funny.
Extremely funny.
Yes.
Really, he's the kind of guy that, you know, you can only listen to for little bits because you start to hurt in all kinds of places.
A bit like Carole. I listened to her for a while and I begin to feel quite painful. Yeah, I get it.
And he does a sort of comedy that's very local. So, you know, as a South African, you can really relate to him. He talks for us.
And because he's half white and half black, he really speaks into the sort of contemporary South African context, which is still, you know, kind of trying to come out of apartheid, still very racialized, still very kind of confused about where it's at and what it's doing.
And because he's half white and half black, he really speaks into the sort of contemporary South African context, which is still, you know, kind of trying to come out of apartheid, still very racialized, still very kind of confused about where it's at and what it's doing.
So what's the book about?
So the book is a memoir. It's called Born a Crime: Stories from a South African Childhood.
And he really tells his story and uses it to be funny, to comment on the context in South Africa, to talk, you know, very lovingly about his mom.
It's one of those books that really does a whole lot of things all in one go. So at times you'll laugh, at times you'll cry, at times you'll learn. I highly recommend it.
He's very funny. He's very insightful. He's very smart.
And he really tells his story and uses it to be funny, to comment on the context in South Africa, to talk, you know, very lovingly about his mom.
It's one of those books that really does a whole lot of things all in one go. So at times you'll laugh, at times you'll cry, at times you'll learn. I highly recommend it.
He's very funny. He's very insightful. He's very smart.
Okay. I'm gonna take a look for that.
Okay. And it's called Born a Crime.
Born a Crime. Born a Crime. Yeah. Stories of growing up in South Africa.
Okay. Thank you very much. Good pick of the week. Carole, what's your pick of the week?
Okay. So I'm going to use my tween niece's vernacular here. Okay.
Yes.
I love me some trees. I love me some chocolate.
I love me— yeah, anyway, so I'm visiting family right now, as we all know, and my parents have a rather manicured garden, you know, full of flower beds and trees and all this, right?
And my mom is often out there weeding, weeding, weeding, weeding.
And I was watching her the other day just pulling out all of these baby maple saplings and throwing them into the compost, right?
And I, who love trees, think, why aren't we putting those in little clay pots and see what happens? What a fab present that would be for someone, yada yada.
So my pick of the week this week is actually an article that I saw in National Geographic, and it basically talks about how using Google Earth, scientists have found almost 1 billion hectares of land that is basically good for plants.
So we could plant forests on that almost 1 billion hectares, restoring—
I love me— yeah, anyway, so I'm visiting family right now, as we all know, and my parents have a rather manicured garden, you know, full of flower beds and trees and all this, right?
And my mom is often out there weeding, weeding, weeding, weeding.
And I was watching her the other day just pulling out all of these baby maple saplings and throwing them into the compost, right?
And I, who love trees, think, why aren't we putting those in little clay pots and see what happens? What a fab present that would be for someone, yada yada.
So my pick of the week this week is actually an article that I saw in National Geographic, and it basically talks about how using Google Earth, scientists have found almost 1 billion hectares of land that is basically good for plants.
So we could plant forests on that almost 1 billion hectares, restoring—
Great.
Gigatons, hundreds and hundreds of gigatons of carbon back to the atmosphere.
So this is based on a report that was published last Thursday in Science, and it's called The Global Tree Restoration Potential, and found there's enough suitable land to increase the world's forest cover by one-third without affecting existing cities or agriculture.
Amazing. Amazing. See, technology for the good. This is a super clever idea, but it is yet still just an idea, right?
And if we want to help curb the glut of carbon emissions, plant a frickin' tree.
So this is based on a report that was published last Thursday in Science, and it's called The Global Tree Restoration Potential, and found there's enough suitable land to increase the world's forest cover by one-third without affecting existing cities or agriculture.
Amazing. Amazing. See, technology for the good. This is a super clever idea, but it is yet still just an idea, right?
And if we want to help curb the glut of carbon emissions, plant a frickin' tree.
Plant a tree.
Put a few tree weeds in a pot and give them to loved ones. Guess what you're getting for Christmas, Graham?
I think, Carole, you need to scrabble around in your mum's compost heap right now and pick out those saplings.
Maybe you can find some old wrapping paper in there too, Carole, for Graham's Christmas gifts.
It's not worth that.
You know what the other technique is you could use to reduce carbon emissions by 25%? I heard this is legit. I heard this.
Okay.
You feed garlic to cows.
Oh, there you go.
I bet that would work. Apparently, apparently feeding garlic to cows reduces the amount that they— and we've said before, so I'm just going to say it again.
Did you read this on the internet?
I saw it on TV, Graham.
Oh, then it must be true. It must be true.
It must be true.
I'm sure they wouldn't have found it on the internet.
But apparently it's not universal, so it depends on where the cow's from and what they eat, but for certain kinds of cows, if you give them— it's the garlic extract, whatever the sort of active ingredient in garlic is— it significantly reduces the amount of methane they emit.
They test it in a lab, there's a lab for this.
They test it in a lab, there's a lab for this.
There's a lab where they're force-feeding cows garlic?
And measuring how much they poop. How easy is this? Which is the scientific part.
I have heard before that if we stopped eating beef and instead we switched over to kangaroo meat, that would be good because apparently kangaroos don't fart.
Or just go vegetarian, Graham.
That's also a possibility. Yeah, vegan. But then we'd be increasing our emissions as well, wouldn't we?
Hmm.
Hmm. Well, this is— well, on that bombshell, I think we've just about wrapped up the show for this week. Shola, I'm sure lots of our listeners would love to follow you online.
What's the best way for folks to do that?
What's the best way for folks to do that?
Graham, the best way is to follow me on Twitter. I'm gonna have to spell out my Twitter handle because it's a bit complicated.
So it's Charl van der Walt, which is C-H-A-R-L-V-D-W-A-L-T. That's without a G because Twitter wouldn't allow me to have a G in my Twitter handle.
Or onlinesecdata.com, S-E-C-D-A-T-A.com.
So it's Charl van der Walt, which is C-H-A-R-L-V-D-W-A-L-T. That's without a G because Twitter wouldn't allow me to have a G in my Twitter handle.
Or onlinesecdata.com, S-E-C-D-A-T-A.com.
Fantastic. And you can follow us on Twitter @SmashinSecurity— no G, Twitter doesn't have a G— and we've also got our website at smashingsecurity.com.
And maybe you want to check us out on Reddit, or indeed our online store. You can get mugs and t-shirts and things like that, smashingsecurity.com/store.
And maybe you want to check us out on Reddit, or indeed our online store. You can get mugs and t-shirts and things like that, smashingsecurity.com/store.
And as always, huge thank you to this week's Smashing Security sponsors, LastPass and Recorded Future. Their support helps us bring you this show for free.
So be sure to check out their offers. And fist bumps to you listeners out there, especially those of you who get in touch with your emails and reviews and your shares.
They all mean the world to us.
So be sure to check out their offers. And fist bumps to you listeners out there, especially those of you who get in touch with your emails and reviews and your shares.
They all mean the world to us.
Until next week, cheerio, bye-bye, bye! Don't forget Aunt Mimi.
Don't forget Aunt Mimi. Shout out to her as well.
Best Mimi.
I don't think any of the others listen.
Well, it seems it didn’t take long for Zoom to realise it was on the wrong end of the argument.
In a blog post, Zoom founder and CEO Eric S. Yuan doesn’t go so far as using words like “sorry” or “apologise” but does admit that the company “misjudged the situation.”
Furthermore, Zoom says it has issued an update to its Mac app that removes the controversial local web server code, and now offers an uninstall option that both removes the Zoom client *and* the local web server.
My advice? If you want to continue running Zoom on your Mac, you should apply that update.
But that’s not all that’s happened.
Apple has also entered into the fray, and issued a silent update to Mac users that removes the Zoom web server code from all Macs, even if they do not update their version of Zoom. Zoom says it worked with Apple to test the update, which requires no user interaction.
TechCrunch reports that Apple’s update “will protect users both past and present from the undocumented web server vulnerability without affecting or hindering the functionality of the Zoom app itself.”
Going forward, Mac users will be prompted whether they want to run the Zoom app. Clearly wise heads have concluded that that’s not such a “poor user experience” after all.
Me? I’m not rushing to reinstall Zoom on my computers. I think next time someone invites me to a Zoom-based video conference I’ll see if I can use the web version of Zoom (which doesn’t require any software to be installed on my computer) instead.
