How do you feel about paying a subscription for software?
Are you happy to pay a monthly fee to get new features as soon as they are developed, helping to support software houses, or do you think you should only have to pay once – or, perhaps, not at all.
It’s definitely the case that many people dislike paying software subscriptions, and resent that more and more products are moving in that direction. And perhaps that’s why Qbix, the developers of a popular Mac scheduling app called “Calendar 2”, recently shipped a version of their software with an alternative revenue-generating feature.
Rather than paying a flat fee of $17.99 or a 99 cents per month subscription to gain access to all of Calendar 2’s advanced features, the app now offered “All advanced features for free” if you allowed it to “unobtrusively” generate the Monero cryptocurrency in the background.
Now, I don’t necessarily have a problem with cryptomining *if* it is done with the full, conscious permission of the computer’s user, who is aware of the possible downsides.
Unfortunately, users complained that the app was cryptomining *without* their explicit permission.
@SGgrc @QbixApps Calendar 2 for Mac (from the App Store) launched a cryptocurrency miner without my permission. Then it ate 200% CPU until I found it and killed it. I didn't expect a miner infection from an App Store vendor. Wow. It runs the xmr-stak Monero miner.
— Fred Laxton (@fredonline) March 12, 2018
Security researcher Patrick Wardle analysed the app, and also managed to grab a screenshot of some of the poor reviews it was receiving on the Mac App store.
“This shady practice is not acceptable, and I don’t know how this app passed Apple’s quality inspection.”
“An app should not be able to all of a sudden change your settings and turn it into a cryptomining machine. It uses up so much memory, power and it slows the computer down. I immediately removed it and came to write a review, and i never write reviews.”
Okay, so this would be bad enough. But what’s worse is that the buggy cryptomining version of Calendar 2 was distributed via Apple’s Mac App Store, a marketplace that you expect to be safer than third-party sites because developers have to jump through some many hoops to have their apps approved.
The appearance of a cryptomining app in the official Mac App Store either suggests that Apple is allowing in apps that are open about cryptomining, or that Apple missed it.
And if Apple missed it, what other apps might be secretly harbouring malicious code in the Mac App Store?
If the complaining users are to be believed, the app may have been opening about its cryptomining but a bug meant that the cryptomining occurred even when users declined to participate.
The app has now been pulled from the Mac App Store, and developer Qbix has blamed the problem on a “perfect storm” of bugs that meant it didn’t work as intended.
As Ars Technica reports, Qbix thought their app would “only” use 10-20% of a Mac’s computer power, depending on whether it was plugged in or not… but actually used much more.
Qbix has decided that it will submit a new version of its app to the Mac App Store, which doesn’t include the third-party cryptomining code, and has said it had decided to “get out of the mining business.”
A good decision by them, I think. But meanwhile Apple probably needs to wake itself up to the growing interest in cryptomining within apps, and decide what it wants to do about it. At the time of writing Apple has declined to comment on whether Qbix broke any rules.
You can hear more about this incident on an edition of the “Smashing Security” podcast:
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
How are you going to listen to Smashing Security podcast while you're in the secure room?
Right.
No, no, no.
So I'm not going to say no speakers. My idea, it's ultrasonics, right? Get a chihuahua. Every office needs a chihuahua.
A little Maltese.
Or a lovely Maltese. I love Maltese. I love those.
A Pooberdor.
What's that?
It's the opposite of a Labradoodle.
And it could pick up the high frequencies and go yep, yep, yep, yep, yep, yep.
Pooberdor could be pug and Labrador, actually. That's a poor Labradoodle. Poor pug.
Smashing Security, Episode 69: Cryptomining, China, and Bob Ross. With Carole Theriault and Graham Cluley.
Hello, hello, and welcome to another episode of Smashing Security, episode number soixante-neuf. My name is Graham Cluley.
Hello, hello, and welcome to another episode of Smashing Security, episode number soixante-neuf. My name is Graham Cluley.
I'm Carole Theriault, or Carole Theriault.
Oh, I see. Oh la la. And we are joined today by Monsieur John Hawes of the Anti-Malware Testing Standards Organization, AMTSO. Hi, John.
Bonjour, bonjour.
So, John, AMTSO, it's not a reviews agency, is it? You're sort of setting standards for tests instead, as I remember.
That's right. Yes. We're trying to guide people who do tests to do it better.
Have you thought about rating and considering reviews instead? Because we've had a couple of bad reviews on iTunes for this podcast in the last week or so. Yeah.
And I really would like an independent organization like yourself to take a look at them and give us your feedback. Are they fair? That kind of thing. How does that sound to you?
And I really would like an independent organization like yourself to take a look at them and give us your feedback. Are they fair? That kind of thing. How does that sound to you?
Are reviews supposed to be fair? Isn't the point of them that it's people just venting?
Well, I don't know. You're the one who's testing reviewers.
Carole, would you like to start off by reading out the first bad review that Smashing Security has had, at least this week?
Oh, not ever.
No, not ever.
Okay.
Okay. So it's entitled 'Could Have Been Good' by Vrai Chevalier from the United States, or 'Real Horse' as a translation.
Do you think that's Maurice's brother or something?
Brother Vray.
Vray's quite a nice name, actually. Now it says, this could have been a good tech podcast, but the bigotry spoils it. I cannot and will not abide bigotry. Such a shame.
So he seems bigoted against bigotry, but I don't know what bigotry he's referring to.
So he seems bigoted against bigotry, but I don't know what bigotry he's referring to.
Bigoted against bigotry. You've been spreading so much bigotry you can't pick out what he's—
No. Yeah. Last week Graham talked about aliens and put a lot of blame on them. And so maybe he's an alien enthusiast and thinks that's unfair.
He's being speciesist.
Don't forget our special guest last week, James Thompson. He had a bit of a go at cyclists, or was it drivers? I wasn't quite clear. He was having a go at everyone.
So it might have been a few people. I mean, it's possible. I mean, a few episodes ago, you spoke about gun control. It can't have been that though.
I mean, everyone's sort of sensible about that, aren't they?
So it might have been a few people. I mean, it's possible. I mean, a few episodes ago, you spoke about gun control. It can't have been that though.
I mean, everyone's sort of sensible about that, aren't they?
Well, it starts off pretty reasonable when they say could be good. I mean, there's not much wrong with that, I guess. Yeah, the use of the term bigot seems a little unnecessary.
I mean, from what it sounds like, all you've been doing is venting strong opinions. Surely that's what podcasts are for.
If you listen to a podcast and then you're shocked that there's strong opinions on it, then maybe you should be listening to something different.
I mean, from what it sounds like, all you've been doing is venting strong opinions. Surely that's what podcasts are for.
If you listen to a podcast and then you're shocked that there's strong opinions on it, then maybe you should be listening to something different.
Thank you. Now there's one other review which came in this week which was a little bit negative with one star, and that was from someone in the United States.
Again, it seems to be United States. His username is Not a Bonehead Like You. I don't mean you, John. I think that's just sort of generic you. Subject title: Worst Podcast in History.
Wow.
Again, it seems to be United States. His username is Not a Bonehead Like You. I don't mean you, John. I think that's just sort of generic you. Subject title: Worst Podcast in History.
Wow.
I think that's quite an award.
Quite an accolade, I would like to say. We want to be award-winning for. And it says, you can tell listening to these morons that they just don't get it.
I think it's it as in it rather than IT, because it's not capitalised.
I think it's it as in it rather than IT, because it's not capitalised.
He must be talking about the guests.
John, if you were to sort of finger your nautical beard and muse about this, where do you think this chap's coming from?
Well, he's not really going into a lot of detail. Also, I'd be concerned that Worst Podcast in History is actually somebody's trademark.
There's probably a board scheme that's giving that out that he's using.
There's probably a board scheme that's giving that out that he's using.
A bit like the raspberries. I think what we'd like is obviously we accept that not everyone's going to love our podcast and that's fine, right?
That's totally fine.
Totally fine. We'd be upset if we had a bland podcast that people didn't hate.
Expect them just not to listen anymore. But if they feel the need to tell us this way.
We need more detail in our bad reviews. Specifically, who are you upset with? Which of the hosts? Carole, for instance, is one of the hosts. Wow. And wow. All the guests.
For instance, John, no pressure, but people will be judging you on your performance today. Get into detail.
Maybe give us a timestamp of what in particular upset you, and then we can fix it in the future.
For instance, John, no pressure, but people will be judging you on your performance today. Get into detail.
Maybe give us a timestamp of what in particular upset you, and then we can fix it in the future.
I really would prefer them not to do that to me.
But you have to improve. And just saying really bad, 1 star doesn't really help you very much.
No, I know.
You need specifics.
I agree.
I would like specifics very much.
Because if we don't keep getting good reviews, we're not going to be able to get decent sponsors, are we?
Segue. Smooth, smooth.
This episode of Smashing Security is sponsored by LastPass. LastPass Enterprise makes password security effortless for your organization.
LastPass Enterprise simplifies password management for companies of every size with the right tools to secure your business with centralized control of employee passwords and applications.
But LastPass isn't just for enterprises. It's an equally great solution for business teams, families, and single users.
Go to smashingsecurity.com/lastpass smashingsecurity.com/lastpass to see why LastPass is the trusted enterprise password manager of over 33,000 businesses.
LastPass Enterprise simplifies password management for companies of every size with the right tools to secure your business with centralized control of employee passwords and applications.
But LastPass isn't just for enterprises. It's an equally great solution for business teams, families, and single users.
Go to smashingsecurity.com/lastpass smashingsecurity.com/lastpass to see why LastPass is the trusted enterprise password manager of over 33,000 businesses.
So guys, I want to ask you this week a very important question. How do you feel about paying a subscription for the software you run on your computer?
Perfectly fine with that. I mean, I preferred, I obviously preferred the old model of buying software once and for all and it's yours.
But, you know, there are advantages to subscription models. Obviously things can be kept up to date, vulnerabilities are addressed very quickly.
But, you know, there are advantages to subscription models. Obviously things can be kept up to date, vulnerabilities are addressed very quickly.
A lot of software does seem to be moving that way. Of course, Microsoft Office is moving that way.
You know, you can pay a monthly fee to get the new features as they're developed and you don't have to pay a huge amount if a major new version comes out.
And of course it helps support developers as well. It means, rather than you just having paid them in 2005, they're continuing to get support from you.
So I actually think it's reasonable to do as long as the fee isn't too big.
Not everyone loves them though, which is understandable because people are so used now to 99 cents apps on your phone.
You know, you can pay a monthly fee to get the new features as they're developed and you don't have to pay a huge amount if a major new version comes out.
And of course it helps support developers as well. It means, rather than you just having paid them in 2005, they're continuing to get support from you.
So I actually think it's reasonable to do as long as the fee isn't too big.
Not everyone loves them though, which is understandable because people are so used now to 99 cents apps on your phone.
Or free.
Or free even, right? Apps maybe which are advertising supported or just, you should just do this for free because you should just do this for free.
And that's why a developer called Cubix has made a change in its calendar app, a rather popular Mac calendar app imaginatively called Calendar 2.
And that's why a developer called Cubix has made a change in its calendar app, a rather popular Mac calendar app imaginatively called Calendar 2.
Okay.
There is a calendar app.
I've not heard of this app.
You've probably heard of Calendar, which comes shipped with macOS. But this is Calendar 2 because it's better.
You know, a bit like, I don't know, Back to the Future 2 or something like that. And it recently shipped a new version of software with a new feature.
Rather than paying a flat fee of $17.99 or your 99 cents per month subscription to gain access to all of the app's advanced features, you can all get those advanced features for free.
Yes, for free. Hooray!
You know, a bit like, I don't know, Back to the Future 2 or something like that. And it recently shipped a new version of software with a new feature.
Rather than paying a flat fee of $17.99 or your 99 cents per month subscription to gain access to all of the app's advanced features, you can all get those advanced features for free.
Yes, for free. Hooray!
For free with no strings attached.
There's not one string. Not one string attached. Not one single— no, absolutely none, John. Absolutely none. There's no way that you can— well, there is one little thing. Okay.
Just one little tiny thing.
One little tiny, tiny, tiny, weeny weeny, whiny whiny thing.
And what it does is it says, look, if you want all of our advanced features for free rather than paying up, you can choose this, which is to unobtrusively generate cryptocurrency in the background.
And what it does is it says, look, if you want all of our advanced features for free rather than paying up, you can choose this, which is to unobtrusively generate cryptocurrency in the background.
Another one. You've covered this recently as well.
Well, crypto mining has really become the fad du jour, hasn't it? Which is French, I believe.
Cryptojacking as well.
Cryptojacking. I think I found it. Jacques.
John.
So everyone knows the iPhone App Store, right? It's a walled garden, Apple controls, only vetted apps are allowed inside and it's— they're control freaks at Apple.
And it's one of the ways in which Apple has managed to keep malicious attackers off iPhones and iPads. And mostly it's worked really well.
Basically developers have to jump through lots of hoops to get their smartphones vetted and out there for the audience.
And it's one of the ways in which Apple has managed to keep malicious attackers off iPhones and iPads. And mostly it's worked really well.
Basically developers have to jump through lots of hoops to get their smartphones vetted and out there for the audience.
And approved. Yeah, exactly.
If you don't have an Apple Mac, however, a desktop computer like a Windows PC, but better because it's running Apple Mac, you get something very similar, which is called the Mac App Store, where you can choose to get your apps from.
It's really super because it automatically updates. It's one-click install. It's easy. It's one place.
And the idea is that Apple has vetted it and it will lead you to believe that it is safer as a result.
It's really super because it automatically updates. It's one-click install. It's easy. It's one place.
And the idea is that Apple has vetted it and it will lead you to believe that it is safer as a result.
Honestly, that would be my assumption.
Well, you would like to think so.
Oh, God. Okay.
So it all depends, of course, on how well Apple polices the Mac App Store. Let's go back to Calendar 2, because Calendar 2 is cryptomining you, right? Or asking for tokens.
Well, does it specifically say that it's going to do that, or does it do it quietly in the background?
It does tell you that it's going to do it. But there's a couple of things here. First of all, is Apple allowing apps that are open and public about crypto mining into the App Store?
You know, what is their official policy on that? Are they — if that's all right with them, then it'd be good to know that, right? Or did Apple miss this app?
Because in this particular case, it tells you it's going to do it. It gives you the option to say no, thank you. But according to some of the users, it did it anyway.
There is a guy called Fred Laxton who installed the app and insists he did not choose to do the crypto mining, to opt into that.
You know, what is their official policy on that? Are they — if that's all right with them, then it'd be good to know that, right? Or did Apple miss this app?
Because in this particular case, it tells you it's going to do it. It gives you the option to say no, thank you. But according to some of the users, it did it anyway.
There is a guy called Fred Laxton who installed the app and insists he did not choose to do the crypto mining, to opt into that.
Right.
And as a consequence, it was mining the Monero cryptocurrency without his permission and raised his CPU to 200%.
The app has been pulled from the App Store, but not before security researcher Patrick Wardle managed to grab a screenshot of some of the bad reviews it was getting in the App Store.
So JFM25090 said, I was pleased with this app till it started doing weird things. Kept on popping up alerts over and over again. I kept on hitting ignore report.
It just kept on popping up. And an app should not be allowed to make a sudden change to your settings and turn into crypto money machines.
I immediately reviewed it and came to write a review and I never write reviews.
The app has been pulled from the App Store, but not before security researcher Patrick Wardle managed to grab a screenshot of some of the bad reviews it was getting in the App Store.
So JFM25090 said, I was pleased with this app till it started doing weird things. Kept on popping up alerts over and over again. I kept on hitting ignore report.
It just kept on popping up. And an app should not be allowed to make a sudden change to your settings and turn into crypto money machines.
I immediately reviewed it and came to write a review and I never write reviews.
Right.
Some advice for — That's another 1-star review. It was, it was.
So this does suggest that it may have bypassed and filtered through the safety net, doesn't it?
Because this kind of behavior is not something that you see very often in the Apple Store apps.
Because this kind of behavior is not something that you see very often in the Apple Store apps.
As far as I know, this may be the first time that this particular thing has happened. Big M37, whatever that is, he says, this shady practice is not acceptable.
I don't know how this app passed Apple's quality inspection. So not ideal by any means.
I don't know how this app passed Apple's quality inspection. So not ideal by any means.
But the app's been pulled now.
Yes.
But it also depends a lot on whether Apple permits that kind of thing and how upfront it was about it.
'Cause it seems to me like a pretty reasonable way of making money out of software.
If you're trying to defeat this horrible thing we've got into where everybody wants everything to be free, you know, there's a lot of worse choices you could make.
You know, you could be bundling all kinds of crapware with your software that you're trying to monetize.
You could be hijacking people's search settings to point them to somewhere else to make a few pennies. But this one seems reasonable.
'Cause it seems to me like a pretty reasonable way of making money out of software.
If you're trying to defeat this horrible thing we've got into where everybody wants everything to be free, you know, there's a lot of worse choices you could make.
You know, you could be bundling all kinds of crapware with your software that you're trying to monetize.
You could be hijacking people's search settings to point them to somewhere else to make a few pennies. But this one seems reasonable.
We've all seen examples of that kind of abuse going on in the past and the problems that that can cause. I completely agree. So what we need to know is what's Apple's policy?
I'm presuming they have a policy of saying, well, you can do this if you're upfront about it.
How come they didn't spot that it actually did it even when people thought they hadn't enabled that feature? 'Cause it does appear there's a bug.
The developer Cubix has blamed the problem on a perfect storm of bugs that didn't work as planned.
I'm presuming they have a policy of saying, well, you can do this if you're upfront about it.
How come they didn't spot that it actually did it even when people thought they hadn't enabled that feature? 'Cause it does appear there's a bug.
The developer Cubix has blamed the problem on a perfect storm of bugs that didn't work as planned.
I wonder if Apple would be able to limit the amount of processing power it would provide should it decide that crypto mining is a viable solution for apps, providing that they're upfront and clear about it.
But you mean actually in the operating system to say, oh, that app is using too much?
Yeah, or they'd have to set limits for the app itself.
I don't think that shouldn't be too difficult.
Yeah, but there may be a danger, you know, why should Chrome be allowed to use so much of my computer's resources? That's a real hog, or something like Final Cut Pro or Logic.
You know, there are some apps which do use a huge amount of resources perfectly legitimately.
Like you, John, I think maybe crypto mining is okay if it's public and if it's definitely agreed to. The problem is that there were bugs.
Qubix told Ars Technica it's supposed to have only used between 10% and 20% of a Mac's computing power, depending on whether it was plugged in or not.
But it actually used much larger amounts and they were using third-party crypto mining code, which they hadn't viewed. They didn't know about service chains.
And so they didn't really have visibility on exactly how it was going to work. And it seems that it was doing too much. So they've ripped out the app for now.
They're going to put out a new version, which doesn't include it, but I suppose our message to Mac users and other computer users out there about their apps is take heed and developers, make sure you don't ship buggy crypto mining code.
You know, there are some apps which do use a huge amount of resources perfectly legitimately.
Like you, John, I think maybe crypto mining is okay if it's public and if it's definitely agreed to. The problem is that there were bugs.
Qubix told Ars Technica it's supposed to have only used between 10% and 20% of a Mac's computing power, depending on whether it was plugged in or not.
But it actually used much larger amounts and they were using third-party crypto mining code, which they hadn't viewed. They didn't know about service chains.
And so they didn't really have visibility on exactly how it was going to work. And it seems that it was doing too much. So they've ripped out the app for now.
They're going to put out a new version, which doesn't include it, but I suppose our message to Mac users and other computer users out there about their apps is take heed and developers, make sure you don't ship buggy crypto mining code.
Well, yeah.
Mm-hmm.
Well, it's always difficult if you're building an app and you want to find a way of monetizing it, you're going to go to somewhere else and just get some stuff to slap in there, whether it's advertising or some crypto mining like this.
Well, you probably are, aren't you? You're not gonna write, you're not gonna roll it yourself 'cause the chances are you're gonna make even bigger blunders if you do that.
So what you're saying in this is it's a supply chain issue and they're saying it's a perfect storm. They don't know how it happened.
Apple are saying, God, I don't know how we missed it. Our big question is Apple, are you gonna be allowing this in your apps or not?
Apple are saying, God, I don't know how we missed it. Our big question is Apple, are you gonna be allowing this in your apps or not?
Exactly. And I think they are the ones who've really failed here. Apple promises a vetted App Store.
It's unclear what its rules are regarding this and it allowed this app to go through, which has upset its users. Okay, okay, calm down.
Well, only because the press and others, you know, caused it because— all right, look, hey, Carole, if this app has got many thousands of users, right, what would happen if it was an app which was being used by millions and millions of people?
If this kind of thing can leak through, what other malicious activity could potentially leak through? That's what we need to worry about. You're just a bleeding heart, aren't you?
It's unclear what its rules are regarding this and it allowed this app to go through, which has upset its users. Okay, okay, calm down.
Well, only because the press and others, you know, caused it because— all right, look, hey, Carole, if this app has got many thousands of users, right, what would happen if it was an app which was being used by millions and millions of people?
If this kind of thing can leak through, what other malicious activity could potentially leak through? That's what we need to worry about. You're just a bleeding heart, aren't you?
But it's not really malicious. I mean, all it's doing is using more resources than it was supposed to.
Oh, really? And rendering your machine basically useless because of all the processing power it's using.
John, if I'm using my computer to also act as my iron lung, keeping me alive, and suddenly my calendar software is using up all of its resources, I find that pretty malicious.
I would recommend if your computer is that important, then pay real money for your software.
Yeah, pay for your apps.
John, what's your story for us this week?
So I wanted to talk a little bit about the mosquito attack, which has been getting a lot of headlines the last week or so. It's basically yet another way to defeat air gapping.
So for those who aren't down with the terminology, air gapping is a pretty common thing in keeping computers secure.
It's basically a step up from firewalling if you want to keep your machine safe, but you need it to be connected to the internet, you use a firewall.
If you want it to be really safe and you're not too worried about it being connected to the internet, then you have it air-gapped, which basically means unplugged.
It's not connected to any network.
So for those who aren't down with the terminology, air gapping is a pretty common thing in keeping computers secure.
It's basically a step up from firewalling if you want to keep your machine safe, but you need it to be connected to the internet, you use a firewall.
If you want it to be really safe and you're not too worried about it being connected to the internet, then you have it air-gapped, which basically means unplugged.
It's not connected to any network.
Yeah.
I mean, that's probably the safest machine. That's what I've always thought. The safest machine you can have is one that's completely disconnected, standalone.
Air-gapping is pretty good, but if you really want to make it secure, then you also unplug it from the electricity.
Smash it up with a big hammer.
Put a plant on it and done.
Right.
Yeah.
Right. Yeah.
Lovely.
But yeah, I mean, it's a concept that's used fairly as standard. I mean, I've worked in air-gapped environments.
It's something you use when you, if you have like a production room where you're making your software and you make sure that only stuff that you absolutely trust goes into that room, you would maybe burn it to a CD and you scan the CD before you put it in any of the machines in the air-gapped room.
It's something you use when you, if you have like a production room where you're making your software and you make sure that only stuff that you absolutely trust goes into that room, you would maybe burn it to a CD and you scan the CD before you put it in any of the machines in the air-gapped room.
Yep. And everything's vetted.
Totally. Yes. And exactly.
And obviously in TV and movie shows, you often see that the bad guys will send a USB to the cops and the cops will plug it into their computer to see the secret files that have been stolen.
And then they say, oh no, we've infected the entire FBI network. And then obviously in real life, they would do that on an air-gapped machine.
They would just take it to a safe machine that wasn't connected to their network and have a look at whatever mysterious stuff they had to be sure it was safe.
And obviously in TV and movie shows, you often see that the bad guys will send a USB to the cops and the cops will plug it into their computer to see the secret files that have been stolen.
And then they say, oh no, we've infected the entire FBI network. And then obviously in real life, they would do that on an air-gapped machine.
They would just take it to a safe machine that wasn't connected to their network and have a look at whatever mysterious stuff they had to be sure it was safe.
Or another great way to illustrate an air-gapped computer, which probably many people would understand is— remember that bit in Mission: Impossible when Thom Cruise comes down on the wires, right?
And Jean Reno is up there with the rope, isn't he? And he's beginning to sweat and all the rest of it. And he sees a rat. Oh, I hate rats, he goes.
And Thom Cruise swoops down and all— it's terribly exciting.
And Jean Reno is up there with the rope, isn't he? And he's beginning to sweat and all the rest of it. And he sees a rat. Oh, I hate rats, he goes.
And Thom Cruise swoops down and all— it's terribly exciting.
The reason he had to do that was that the room was air-gapped. If it wasn't, he could just hack in from anywhere in the world.
So you're saying you're going to tell me that this mosquito attack is a way of not needing Thom Cruise to come down the ventilation shaft.
Well, actually, no. Oh, yeah, it kind of, I mean, it sounds like that. So basically there's a team in Ben-Gurion University in Israel.
They've been working on this stuff for quite a while now. So early attacks against air gaps, at least 5 years old.
They've been working on this stuff for quite a while now. So early attacks against air gaps, at least 5 years old.
Okay.
This is more about getting data out from inside the air gap. And people have shown that you can use sound.
So you could make noises on the air gap side, and then you could detect those noises on the other side and you could use those to send signals between two computers.
So you could make noises on the air gap side, and then you could detect those noises on the other side and you could use those to send signals between two computers.
John, what kind of noises would people be making on the air gap side?
Well, they'd probably be little tiny beeps or clicks that would be like a binary signal.
Oh, okay. I see.
And they've done it using fan noise. They've done it using blinking LEDs on disk drives or routers. They've even done it using heat signatures.
So making the machine warm up and cool down at predictable rates so that the pattern can be converted into a signature.
So making the machine warm up and cool down at predictable rates so that the pattern can be converted into a signature.
Right.
Wow.
Obviously that last one tends to be quite slow. So this most recent one, this Mosquito attack.
So this is using ultrasonic so people can't hear it, which is important because obviously if your highly secure machine suddenly starts making weird noises, you'd be a little concerned.
But it also doesn't require a microphone.
So what they've done is basically they've taken speakers and using the computer that those speakers are connected to, reversed the way they work.
So rather than turning electronic signal into sound vibrations, they're taking sound vibrations and turning it back into electronic signal to go into the computer.
So this is using ultrasonic so people can't hear it, which is important because obviously if your highly secure machine suddenly starts making weird noises, you'd be a little concerned.
But it also doesn't require a microphone.
So what they've done is basically they've taken speakers and using the computer that those speakers are connected to, reversed the way they work.
So rather than turning electronic signal into sound vibrations, they're taking sound vibrations and turning it back into electronic signal to go into the computer.
Holy moly.
So that's— and then they've set up these two machines.
They've got a cute little video on YouTube with a— they've set up these two computers and they've sent an image of a little panda from one machine to the other, just using the sound coming from the two machines.
Actually, the main thing about this is that it's two-way.
So you have on either side, you're jumping the air gap using these two sets of speakers to communicate between the two machines. Now, there are some problems with this, obviously.
You need to actually be in control of the machine on the air gap network in the first place. So you still need Thom Cruise to abseil down with his USB and stick it in.
Which makes it kind of pointless. But obviously it's not, if you want to grab something off the machine, you can just do it at that point.
But if you want something more long-term, then you can get in, get the infection in place and have it sit there and send messages backwards and forwards.
They've got a cute little video on YouTube with a— they've set up these two computers and they've sent an image of a little panda from one machine to the other, just using the sound coming from the two machines.
Actually, the main thing about this is that it's two-way.
So you have on either side, you're jumping the air gap using these two sets of speakers to communicate between the two machines. Now, there are some problems with this, obviously.
You need to actually be in control of the machine on the air gap network in the first place. So you still need Thom Cruise to abseil down with his USB and stick it in.
Which makes it kind of pointless. But obviously it's not, if you want to grab something off the machine, you can just do it at that point.
But if you want something more long-term, then you can get in, get the infection in place and have it sit there and send messages backwards and forwards.
And in this demo video, they've sent this, right? It is a bit like ASCII art really. It's very low res.
It's pretty basic. Yeah. Well, it's because this kind of sending signals this way is not very efficient. You know, you're not sending millions of bytes per second. You're sending—
No, of course you're not. Yeah. So I've thought of a potential way of securing against this.
No way.
No speakers?
Just while you've been speaking. Well, there's that obviously, but then how are you going to hear when your computer goes, eh, eh?
Always work with heavy metal music playing, blaring.
How are you going to listen to Smashing Security podcast while you're in the secure room? Yes.
Right.
No, no, no.
So I'm not going to say no speakers because we need reviews from people working in air-gapped environments, although I'm not sure how they're posting the internet.
My idea, it's ultrasonics, right? Get a chihuahua. Every office needs a chihuahua.
My idea, it's ultrasonics, right? Get a chihuahua. Every office needs a chihuahua.
A Maltese, a little Maltese.
Or a lovely Maltese. I love Maltese. I love those.
A Pooberdor.
What's that?
It's the opposite of a Labradoodle.
And it could pick up the high frequencies and go, yep, yep, yep, yep, yep, yep. Maybe if you got one which knew Morse code as well, it could actually communicate with you.
Say, oh, I've just spotted a panda has been sent or something like that.
Say, oh, I've just spotted a panda has been sent or something like that.
Poopador could be pug and Labrador, actually.
Just saying.
That's a poor Labrador.
Poor pug.
Kroll. What's your story for us this week?
For my story, gentlemen, we are off to China. China's been in the news a lot recently. They have been making a huge effort in terms of cleaning up pollution.
Aside from the fact that China suffers from a lot of polluted waters, ground, and air, it might be spurred on by speculations that they want to be world leader in the electrical car business, which is booming.
Aside from the fact that China suffers from a lot of polluted waters, ground, and air, it might be spurred on by speculations that they want to be world leader in the electrical car business, which is booming.
All right.
But as we know, not everything is happy, happy, joy, joy in China.
Specifically, China's already stronghold on what its 1.4 billion citizens can access and say does seem to be tightening, both in real life and online.
So let me introduce you guys to the concept of a citizen score, and I wonder what you guys are going to make of it, whether you think something similar might ever happen in less overtly controlled places like Europe or America.
So back in 2014, the State Council of China published a document outlining the construction of a social credit system.
According to Wired, the principal question asked in the doc is this: what if there was a national trust score that rated the kind of citizen you were?
Now, 4 years on, this document is much more than a pipe dream. China's social credit system, quote unquote, is looking to launch in a few years' time, in 2020.
So the gist seems to be this: how you behave on popular social media sites—so what you say, show, and share—will contribute to your social credit score.
In other words, can China authorities monitor so much behavior that they can accurately assign a holistic value to a specific individual?
Specifically, China's already stronghold on what its 1.4 billion citizens can access and say does seem to be tightening, both in real life and online.
So let me introduce you guys to the concept of a citizen score, and I wonder what you guys are going to make of it, whether you think something similar might ever happen in less overtly controlled places like Europe or America.
So back in 2014, the State Council of China published a document outlining the construction of a social credit system.
According to Wired, the principal question asked in the doc is this: what if there was a national trust score that rated the kind of citizen you were?
Now, 4 years on, this document is much more than a pipe dream. China's social credit system, quote unquote, is looking to launch in a few years' time, in 2020.
So the gist seems to be this: how you behave on popular social media sites—so what you say, show, and share—will contribute to your social credit score.
In other words, can China authorities monitor so much behavior that they can accurately assign a holistic value to a specific individual?
So they're looking at everything that you do online and they're going to give you a score. They're going to think, oh, very complimentary message they've posted there.
Not so complimentary this.
Not so complimentary this.
Or for example, they might be interested in if you're a suspect in a crime, for instance, right? Or not just what you post online.
So it's real world stuff too.
Real world stuff too. Now China has in place this, what we call the Great Firewall. This is designed to control and prevent access to Western news websites.
And sites like Google, Facebook, YouTube, Twitter, these are all really strongly controlled in China. But they have an alternative, the replacement social site called WeChat.
And WeChat is seriously popular. We're talking 902 million daily users, and about 38 billion messages are sent on the platform every day. This is according to The Verge.
And sites like Google, Facebook, YouTube, Twitter, these are all really strongly controlled in China. But they have an alternative, the replacement social site called WeChat.
And WeChat is seriously popular. We're talking 902 million daily users, and about 38 billion messages are sent on the platform every day. This is according to The Verge.
So this is like Twitter, but this is the Chinese version.
This is Twitter times 1,000.
So on WeChat, you play games, you book meetings, you make video calls, you pay bills, you access bank accounts, you find out local hangouts, you book doctor appointments, you file police reports, you hail cabs.
You're hearing me, right? You do everything through this site.
And more interestingly, WeChat will soon issue virtual ID cards, which individuals will use in lieu of their physical state-issued ID card.
So this kind of suggests to me that maybe people don't have a lot of choice about using WeChat.
So on WeChat, you play games, you book meetings, you make video calls, you pay bills, you access bank accounts, you find out local hangouts, you book doctor appointments, you file police reports, you hail cabs.
You're hearing me, right? You do everything through this site.
And more interestingly, WeChat will soon issue virtual ID cards, which individuals will use in lieu of their physical state-issued ID card.
So this kind of suggests to me that maybe people don't have a lot of choice about using WeChat.
Because of these virtual ID cards, yeah.
Well, not just the ID cards, but it's so convenient to use this one platform to get everything you need done.
I'm sitting here listening to this, Carole, and I can't believe that Smashing Security isn't on WeChat. Why haven't we created an account?
Hey, would they let us have that missing G in our name, which Twitter won't let us have?
Hey, would they let us have that missing G in our name, which Twitter won't let us have?
They probably need even shorter names.
As I expect, you know, its parent company Tencent scored 0 out of 100 for WeChat's lack of freedom of speech protection and lack of end-to-end encryption in a 2016 Amnesty International report on user privacy.
Probably not allowed. 0 out of 100.
Probably not allowed. 0 out of 100.
I don't want an account anymore.
And I should say, Tencent do have a contested reputation for being, well, in bed with, you know, the government of China, that they may be sharing a lot more data than perhaps is being said.
I think if you say someone's in bed with the Chinese government, that probably damages your social score as well, Carole. Little bit grubby.
Is it a bit grubby? Well, it is episode 69. Okay, so back to our social credit system.
Now, there are not a lot of details on how this is going to work exactly, but since there's so much information being put on these sites, I think it's fair for us to speculate maybe, right?
So let me give you a few scenarios. So if you were online on a social site, told someone to fuck off, would that mean that you'd lose points? Would that be considered socially rude?
What if you hearted a picture of a political leader?
Now, there are not a lot of details on how this is going to work exactly, but since there's so much information being put on these sites, I think it's fair for us to speculate maybe, right?
So let me give you a few scenarios. So if you were online on a social site, told someone to fuck off, would that mean that you'd lose points? Would that be considered socially rude?
What if you hearted a picture of a political leader?
Well, then you probably lose those points as soon as they go out of power.
Or what if you connected unwittingly with a suspicious individual or a suspect? You may not know that, and it might occur to you.
I don't even know if you would know what your score is. Do you get to watch the score?
I don't even know if you would know what your score is. Do you get to watch the score?
Oh, I'm sure you get to check your score. Isn't that a big Black Mirror? Remember?
And you kind of see this number go up and down.
I wonder what would have happened to my score when Piers Morgan blocked me on Twitter.
They would have gone up. Probably. Now, okay, so this is all the WeChat and the social credit system, and we're going to probably find out more as we get closer to their launch.
But tie this announcement with this news that came out today at a border near Beijing.
Chinese authorities are currently testing out the use of smart glasses to identify through facial recognition who's naughty and who's nice.
So these are AI-powered glasses made by LLVision, and they pick up facial features and car registration plates and then match them in real time with databases of suspects, right?
If you want a picture of the future, imagine a boot stamping on your human face forever.
But tie this announcement with this news that came out today at a border near Beijing.
Chinese authorities are currently testing out the use of smart glasses to identify through facial recognition who's naughty and who's nice.
So these are AI-powered glasses made by LLVision, and they pick up facial features and car registration plates and then match them in real time with databases of suspects, right?
If you want a picture of the future, imagine a boot stamping on your human face forever.
I think that's a little bit harsh. Do you? Well, basically, so what China's implementing here is what you were asking for earlier, is a way of rating people who are reviewing you.
A lot of sites have that already. So you can see the reviewers and it says whether they're a regular or they're a newbie or things like that.
And it's basically just an extension of that.
A lot of sites have that already. So you can see the reviewers and it says whether they're a regular or they're a newbie or things like that.
And it's basically just an extension of that.
So you're saying you think it's okay the state controls and allocates points based on behavior online and offline?
Yeah, it kind of depends what you get for those points. You know, if at the end of the year your points are nice and high and they say, here's a free sandwich or something.
Oh, free sandwiches. Yeah, that does sound nice, actually.
And if your points are kind of low, they say, oh, please try harder to be nice in your reviews online. Then that's great.
John, you have been in China recently, haven't you?
I have. Yes.
What did you make of everything, of, you know, being able to connect online and everything?
I was actually, I found it much easier than I'd expected, to be honest.
There were obviously quite a few, Google, especially Google, Facebook, big foreign services tend to be blocked on local systems.
But as a foreigner, I had a phone so I could just use my 3G connection to go anywhere I wanted.
There were obviously quite a few, Google, especially Google, Facebook, big foreign services tend to be blocked on local systems.
But as a foreigner, I had a phone so I could just use my 3G connection to go anywhere I wanted.
Oh, I see. You didn't use convenient Wi-Fi hotspots, John. You just think, oh, this is very handy. My hotel is offering me this. You stayed on 3G, did you?
Well, as much as possible. Yeah, because things worked and on the Wi-Fi, a lot of stuff was blocked.
Yeah. Oh, interesting.
Well, the thing is, did you use a VPN while you were out there? Yes, I did.
That's obviously something that most internet-savvy people are doing to try and bypass all these blocks that are put up to sites like Google, Facebook, etc.
China is actively, however, cracking down on the use of VPNs.
And according to the BBC, Beijing ordered its state-owned ISPs, which you were probably connected to— China Mobile, China Unicom, and China Telecom— to block access to unauthorized VPNs.
That's obviously something that most internet-savvy people are doing to try and bypass all these blocks that are put up to sites like Google, Facebook, etc.
China is actively, however, cracking down on the use of VPNs.
And according to the BBC, Beijing ordered its state-owned ISPs, which you were probably connected to— China Mobile, China Unicom, and China Telecom— to block access to unauthorized VPNs.
And the thing is, can you trust the authorized VPNs? Because what have they had to do to allow China to say, oh yeah, you can use that VPN, no problem with that one.
Exactly.
And you just can't help but wonder if there's lots more VPNs coming on the market only to try to make sure that they're not listed on the list of VPNs that might be blocked.
The government's also even demanded that shopping websites like Alibaba remove references to VPNs on their site. So basically, don't sell them, don't talk about it, hush hush.
And you just can't help but wonder if there's lots more VPNs coming on the market only to try to make sure that they're not listed on the list of VPNs that might be blocked.
The government's also even demanded that shopping websites like Alibaba remove references to VPNs on their site. So basically, don't sell them, don't talk about it, hush hush.
I wonder if we have any listeners in China who might be able to give us some perspective on all of this. We'd love you to get in touch.
We'd love some information on that.
Because you can speak more knowledgeably about this than probably—
Than I can. Thank you very much.
No, no, it's good.
No, I'm not saying— what I am saying though is if they begin scoring people based on their social media activity and whether they've said something which might be considered anti-government, for instance, it might be tempting to install some kind of little bot or something which does automatically like or heart or retweet or re-WeChat or whatever the phrase is, people in power inside the Chinese authorities and show that you're a model citizen and then just occasionally pepper what you really think.
No, I'm not saying— what I am saying though is if they begin scoring people based on their social media activity and whether they've said something which might be considered anti-government, for instance, it might be tempting to install some kind of little bot or something which does automatically like or heart or retweet or re-WeChat or whatever the phrase is, people in power inside the Chinese authorities and show that you're a model citizen and then just occasionally pepper what you really think.
Follow Graham's advice. I'm sure no harm will come. This episode of Smashing Security is sponsored by LastPass.
LastPass simplifies password management for companies of every size, but it isn't just for enterprises. It's equally a great solution for business teams, families, and single users.
Learn more at smashingsecurity.com/lastpass.
LastPass simplifies password management for companies of every size, but it isn't just for enterprises. It's equally a great solution for business teams, families, and single users.
Learn more at smashingsecurity.com/lastpass.
And welcome back, and it's our favorite time of the show, the part of the show which we like to call Pick of the Week.
Pick of the Week.
Pick of the Week.
Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
It could be a funny story, a book they've read, a TV show, a movie, a record, an app, a website, a podcast, whatever. Doesn't have to be security-related necessarily. Shouldn't be.
And my pick of the week this week is, have either of you mastered the Rubik's Cube? John, you seem like the sort of person who would have whiled away your—
It could be a funny story, a book they've read, a TV show, a movie, a record, an app, a website, a podcast, whatever. Doesn't have to be security-related necessarily. Shouldn't be.
And my pick of the week this week is, have either of you mastered the Rubik's Cube? John, you seem like the sort of person who would have whiled away your—
I feel insulted. Okay, now I haven't, but I don't know why you would say— John, of course, you know, because you have a penis, you must have been able to do it.
You don't actually use that, but it's mainly a hand thing, the Rubik's Cube.
No, the reason is, Carole, is that I thought you probably had an active social life and maybe John coming from Cornwall would be less likely. No, that's why I said it.
Just for the record, I've only done two sides of a Rubik's Cube. I've never been able to do it.
Okay, that's about the same as me.
I think I have done a whole one at some point in the past. Probably a long, long time ago.
Really? Well, I bet you haven't done it in 0.38 seconds.
Whoa. Well, no, that would spoil the fun entirely.
You haven't even—
You can't even blink that fast.
Because there are a couple of dudes, Ben Katz and Jared DiCarlo, and they have built a robot that can solve a mixed-up, messed-up Rubik's Cube in world record time, smashing the previous record.
Because there are a couple of dudes, Ben Katz and Jared DiCarlo, and they have built a robot that can solve a mixed-up, messed-up Rubik's Cube in world record time, smashing the previous record.
Well, it won't take you much time to watch that video, I guess, of them solving it.
Well, what they do actually— so we put a link to the video in the show notes, or you guys can watch it right now if you like. Solving in 3, 2, 1.
Okay, it's over. It's already over.
Yeah, but then they show it in slow motion. Now a typical Rubik's Cube takes about 19 to 23 turns. They reckon that they could actually make this even faster.
They can make it 0.25 seconds.
They can make it 0.25 seconds.
And it's quite interesting. You can read all about it on their blog where they've talked about their contraption which they've built.
And they got a couple of webcams to view the cube from different angles.
And they got a couple of webcams to view the cube from different angles.
Yeah, the video's done quite well actually, and it's only 30 seconds long, and I think they go through it a number of times.
They really explain exactly what they're doing in that 30 seconds.
They really explain exactly what they're doing in that 30 seconds.
I don't think that's an official Rubik's Cube. The ones I had were always very kind of sticky, and they'd get jammed up very easily.
Well, in the video you'll see that sometimes things go wrong. Oh, and I didn't notice that, it was so fast. They destroyed a number of Rubik's cubes.
Well, exactly. You see, they're fragile.
Cool. Good pick of the week, Graham.
Pick of the week.
John, what's your pick of the week? So I was wondering, Graham, this sounds something you might know. How much real estate would $1 million get you in Monaco compared to Cape Town?
Oh, any ideas? Well, Monaco is going to be more expensive, surely.
Exactly. Yes, it's quite a lot. Cape Town is meant to be quite nice too, but—
Oh no, but it'll get you almost 10 times as much for your— A million dollars in Monaco would get you 16 square metres, and in Cape Town, 157. Oh!
And you're wondering why, how I know that, right?
And you're wondering why, how I know that, right?
Yes, because you're so smart.
So it's because I get an email every day from a site called Statista, who are a bunch of statistic freaks, and they send out all these daily updates that I subscribe to on just random bits of information, basically.
I'm going to the site.
I'm going to the site.
Hang on, John, you sign up for this useless— It's a great—
It's very entertaining. It's not—
How long have you been signed up? How long have you been doing it?
I would say at least 2 years. Oh my goodness.
And every morning I go and have a little look. It's just a little infographic, a little graph or something, and I go, oh, that's interesting.
So it's not always about real estate prices?
Oh no, no, no, no. No, it's a lot of it actually is kind of digital stuff.
So finances of the big tech firms and users of different social media sites and all kind of matched against each other and put into perspective.
There's a great one Carole, you're gonna love this one. I think this was in the last few days, I think.
So finances of the big tech firms and users of different social media sites and all kind of matched against each other and put into perspective.
There's a great one Carole, you're gonna love this one. I think this was in the last few days, I think.
So Bob Ross, yes, the host of The Joy of Painting, they have a great infographic of different items that he's to have in one of his paintings.
Apparently you have a 56% chance of a deciduous tree compared to 53% chance of a conifer tree.
Apparently you have a 56% chance of a deciduous tree compared to 53% chance of a conifer tree.
Welcome back, certainly glad you decided to spend a half hour with us today.
I think you'll enjoy the little painting we're going to do, and I hope you take the time to paint along, or you pull up your easy chair and just relax with us.
I thought today we'd just—
I think you'll enjoy the little painting we're going to do, and I hope you take the time to paint along, or you pull up your easy chair and just relax with us.
I thought today we'd just—
I love that you're more likely to have two mountains in one of his pictures than a single man-made structure. Oh, there you go.
I was wondering, John, why you signed up for this thing. Now I'm wondering— I really can't remember who is it that is collecting this data.
Well, it's watching Bob Ross videos and working out what kind of trees he's just drawn.
Well, it's watching Bob Ross videos and working out what kind of trees he's just drawn.
Well, I don't know. So I think a lot of the stuff that they pull in kind of data from various different sources, either from people that have done academic research or—
Academic research on Bob Ross pictures? Possibly.
John, this is crazy! It's coming from all kinds of different sources. It's quite a big firm, Statista.
And the other thing that I wanted to mention this week, because this is what made me think of it this week, they recently put out a thing called their Digital Economy Compass 2018.
Which is basically a bunch of their standard infographics put together in a kind of massive— I think it's 220 pages or something.
Just hundreds of little graphs and charts all about the digital economy. It's fascinating.
And the other thing that I wanted to mention this week, because this is what made me think of it this week, they recently put out a thing called their Digital Economy Compass 2018.
Which is basically a bunch of their standard infographics put together in a kind of massive— I think it's 220 pages or something.
Just hundreds of little graphs and charts all about the digital economy. It's fascinating.
I have just bookmarked the page, Graham, so you should too. I thought it was great. Percentage of females aged over 75 with hypertension.
Exactly. Bet you want to know. You want to know, right?
It's almost 80%. What's the link?
I need to know that right now.
It's statista.com. Oh, easy. One more for you.
Yep. Apple has enough money offshore sitting, waiting to do something to buy every single one of their 132,000 employees a Bugatti.
John, I think that's a great Pick of the Week.
I think it sounds very interesting. I'll go and check it out. Carole, what's your Pick of the Week?
Okay, let me start with the story first. I was at a meeting and this guy stood up at the meeting to show a video he'd been working on. And the video loaded up on the guy's YouTube.
So he basically put the video on a YouTube channel and set it as private and then was going to show the group.
And he was asked to access the channel from the computer connected to the display or the presentation screen. You with me?
So he basically put the video on a YouTube channel and set it as private and then was going to show the group.
And he was asked to access the channel from the computer connected to the display or the presentation screen. You with me?
Yeah.
So as he's logging in and looking for the video, we're watching the screen and he gets to his account and is searching for the video on YouTube.
And while he's doing all this, we are looking at his Up Next section of his YouTube channel with recommendations of videos on display.
And many of these were what we would call NSFW, if you know what I mean. And I kind of felt for the guy, right?
So anyway, fast forward to a few days ago, I'm scanning Reddit's No Stupid Questions sub and see this question from handle Absar.
Is there a way to stop certain video suggestions on YouTube?
I watched 3 flat earth videos so I could have a good laugh, and now 90% of the recommended videos are from flat tarts, quote unquote.
And while he's doing all this, we are looking at his Up Next section of his YouTube channel with recommendations of videos on display.
And many of these were what we would call NSFW, if you know what I mean. And I kind of felt for the guy, right?
So anyway, fast forward to a few days ago, I'm scanning Reddit's No Stupid Questions sub and see this question from handle Absar.
Is there a way to stop certain video suggestions on YouTube?
I watched 3 flat earth videos so I could have a good laugh, and now 90% of the recommended videos are from flat tarts, quote unquote.
Flat tarts?
Quote unquote, quote unquote. The famous flat tart community.
So lots of people replied to this guy, but one called Trilicon gave great advice, which I'm gonna share with you here. All you need is to curate your history and recommendations.
So let me summarize the advice for you. First, on YouTube, go to history, delete any recent videos that you don't want recommended to you in the future.
Start with big hitters like over a million views because they really skew your recommendations. Yeah, I didn't know that either.
Second, in your Up Next section, if you see the videos that are lined up in your Up Next sessions, right beside them you can see a column of three dots right next to your recommendations.
If you click on that, choose Not Interested from that list and select Tell Us Why and tell them I don't want recommendations based on this video.
Third, consider watching videos with over a million views in some form of private browser because they have such an impact on recommendations they provide you.
If you'd rather watch a video that has lots of views that you don't want to recommend to you in future, do it in a private browsing session.
And four, only like videos that you're actually interested, which seems pretty easy, right? That's a duh option, but I'm sure lots of people don't think that way.
So if you do like a video, say yes, give me more of this please. All right, and there you go. So thank you very much, Trilicon.
And now many, many presenters around the world who have to open up YouTube on a display can clean up. I mean, the best way to do it is have two accounts.
I'd say have a business account, a personal account. That's the way I'd handle it personally. But there you go. Cool.
So let me summarize the advice for you. First, on YouTube, go to history, delete any recent videos that you don't want recommended to you in the future.
Start with big hitters like over a million views because they really skew your recommendations. Yeah, I didn't know that either.
Second, in your Up Next section, if you see the videos that are lined up in your Up Next sessions, right beside them you can see a column of three dots right next to your recommendations.
If you click on that, choose Not Interested from that list and select Tell Us Why and tell them I don't want recommendations based on this video.
Third, consider watching videos with over a million views in some form of private browser because they have such an impact on recommendations they provide you.
If you'd rather watch a video that has lots of views that you don't want to recommend to you in future, do it in a private browsing session.
And four, only like videos that you're actually interested, which seems pretty easy, right? That's a duh option, but I'm sure lots of people don't think that way.
So if you do like a video, say yes, give me more of this please. All right, and there you go. So thank you very much, Trilicon.
And now many, many presenters around the world who have to open up YouTube on a display can clean up. I mean, the best way to do it is have two accounts.
I'd say have a business account, a personal account. That's the way I'd handle it personally. But there you go. Cool.
That's a very practical pick of the week.
Well done, you. Very useful. There you go. It's not only a pick of the week, but a tip of the week.
Well, that just about wraps it up for this week. If you want to follow us on Twitter, we are @SmashingSecurity without a G. Twitter didn't let us have a G.
We are on Facebook in the Smashing Security podcast group. We've got a store, smashingsecurity.com/store.
And oh, the other thing I need to do is, John, thank you very much for joining us on the show today.
If people want to know more about you and AMTSO, how should they get in touch with you?
We are on Facebook in the Smashing Security podcast group. We've got a store, smashingsecurity.com/store.
And oh, the other thing I need to do is, John, thank you very much for joining us on the show today.
If people want to know more about you and AMTSO, how should they get in touch with you?
You can reach me at . Fantastic.
Well, thank you at home for tuning in. If you like the show, please give us a rating and positive review on Apple Podcasts.
It really does help new listeners discover the show, and you can check out past episodes at smashingsecurity.com.
It really does help new listeners discover the show, and you can check out past episodes at smashingsecurity.com.
Until next time, cheerio, bye-bye, bye-bye, au revoir, adieu, après ma lettre de douche.
I love Bob Ross.
