ABC News in Australia reports that Facebook is “teaming up with Government to stop nude photos ending up on Messenger, Instagram”:
Facebook is partnering with a small Australian Government agency to prevent sexual or intimate images being shared without the subject’s consent.
e-Safety Commissioner Julie Inman Grant said victims of “image-based abuse” would be able to take action before photos were posted to Facebook, Instagram or Messenger.
“We see many scenarios where maybe photos or videos were taken consensually at one point, but there was not any sort of consent to send the images or videos more broadly,” Ms Inman Grant said.
I guess you’ve got to be pretty worried that some toe-rag is interested in sharing nude photographs of you, if you’re prepared to ask for Facebook’s help in this way.
As far as I’m aware, Facebook hasn’t published any information on how it plans to implement this. I would imagine that they are using similar technology to that used by internet companies to identify child sexual abuse images – where they don’t need to store a copy of the actual offending content, but instead have a database of “fingerprints” that can identify images and videos.
My hope and expectation is that Facebook will automate the process as much as possible, but that there may need to be some human involvement to review submitted images.
My guess is that Facebook will tightly control who in the company can review and access submitted images, and that they will be blurred to protect people’s privacy, before they are converted into “fingerprints” and then permanently wiped.
You probably do need some human involvement to prevent people chucking images into the system which *wouldn’t* be classified as “revenge porn” (perhaps with mischief in mind, or perhaps in an attempt to prevent the spread of images that they were trying to suppress for other reasons).
This “human” element is probably the most risky part of the process, and there will be many people ready to castigate Facebook if it screws this up.
“Revenge porn” is horrendous enough as it is, without technology companies making the problem worse. Facebook knows that there will be many people concerned about how it handles such sensitive content, and I imagine they have put a good deal of thought into minimising the chances that anything goes wrong.
By the way, “revenge porn” is a horrendous phrase. We need to think up a better one.
Update 9 November 2017: Facebook has published some more details of its scheme.
For more discussion on this topic, be sure to listen to this episode of the Smashing Security podcast:
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Hello, and today's episode of Smashing Security is supported in part by Netsparker.
They are the web application and security scanner that can automatically find security flaws in your website and fix them before hackers can exploit them.
If you want to automatically check your web applications for cross-site scripting, SQL injection, and other vulnerabilities and coding errors that can leave you and your business exposed to malicious hackers, check out Netsparker.
Try it out now by downloading the demo from www.netsparker.com/smashing. And thanks to Netsparker for supporting the show.
Smashing Security, Episode 52: Facebook tackles vengeful scumbags and a sex toy privacy boob with Carole Theriault and Graham Cluley.
They are the web application and security scanner that can automatically find security flaws in your website and fix them before hackers can exploit them.
If you want to automatically check your web applications for cross-site scripting, SQL injection, and other vulnerabilities and coding errors that can leave you and your business exposed to malicious hackers, check out Netsparker.
Try it out now by downloading the demo from www.netsparker.com/smashing. And thanks to Netsparker for supporting the show.
Smashing Security, Episode 52: Facebook tackles vengeful scumbags and a sex toy privacy boob with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Episode 2 of Carole's Agony Corner.
The regular— Oh, Carole, hi there. How you doing?
I'm doing well. I'm doing well. We'll do it again sometime. We've had so much feedback saying it was fun. We'll do it again, but maybe not every week. It's a lot of work.
I had people coming up to me in the street saying, about that cat, with their sharing their opinions of the cat.
And it's people who I didn't even know listen to the podcast, but clearly do. But that was the one thing which really got them interested.
If you don't know what we're talking about, go listen to episode 51.
And it's people who I didn't even know listen to the podcast, but clearly do. But that was the one thing which really got them interested.
If you don't know what we're talking about, go listen to episode 51.
That's right.
And we're also joined this week, by the way, it's Smashing Security, episode 52, actually.
And it's not our one-year anniversary because there were weeks when we did two episodes.
Do you remember those halcyon days when we were that keen that we'd do lots of episodes per week? Yes, but we'll be coming up to our birthday, won't we?
Just before Christmas, I think it is.
Just before Christmas, I think it is.
Yes.
That'll be fantastic. And we are joined this week by returning special guest, Mr. John Hawes. Hello, John. How are you?
Hello. Hello. I'm very well.
Yay. Good to have you here, John. And as always, this week, there's been a lot going on, hasn't there, in the of computer security in the last week.
So we have picked a few of the topics, things which have caught our interest, which we will chat about right now.
And the first thing I wanted to talk about was Facebook and revenge porn. Actually, I don't want to talk about revenge porn because I really dislike that phrase, revenge porn.
So we have picked a few of the topics, things which have caught our interest, which we will chat about right now.
And the first thing I wanted to talk about was Facebook and revenge porn. Actually, I don't want to talk about revenge porn because I really dislike that phrase, revenge porn.
Oh, I'm glad you just said that because I was about to take offense. It's an awful term.
It's pretty unpleasant.
It's a bit when people talk about child porn and I think, well, this isn't actually porn, this is child abuse.
And similarly with revenge porn, I don't know what it should be called. Maybe—
And similarly with revenge porn, I don't know what it should be called. Maybe—
I mean, as a big fan of porn, right? You definitely don't want it to be sullied in any way.
Exactly. Yeah, I'd hate porn to be soiled in this way.
Keep the porn clean.
But I think instead of revenge porn, we should call it sort of, I don't know, image intimidation or image-based abuse or something. We need some phrase.
But of course, the newspapers love the phrase revenge porn. That's the sort of thing you may have seen in the press, and it's a ghastly phenomenon. We all know what it is.
It's a serious problem.
But of course, the newspapers love the phrase revenge porn. That's the sort of thing you may have seen in the press, and it's a ghastly phenomenon. We all know what it is.
It's a serious problem.
Oh, hey, hey, I think you should explain what it is just in case.
So what this is, is where somebody has got some photographs or video content of you of an intimate nature.
Maybe they hacked it and stole it from your computer, or maybe you shared it with them because you were in an intimate relationship with them, which then went sour.
And then people threaten, maybe blackmail you, or just because they don't like you anymore, to post it all over social media and send it to all of your friends and your parents and your employees.
And it's just, you know, it's horrible.
Maybe they hacked it and stole it from your computer, or maybe you shared it with them because you were in an intimate relationship with them, which then went sour.
And then people threaten, maybe blackmail you, or just because they don't like you anymore, to post it all over social media and send it to all of your friends and your parents and your employees.
And it's just, you know, it's horrible.
Okay.
How horrible. And this is something which obviously didn't exist in yesteryear.
The internet has made this so much easier and social networks have made it so much simpler for someone in just a rage-fueled moment to share those sort of images with everybody who you know.
And ghastly. And as a consequence, people have obviously been very traumatized. In the worst cases, people have even committed suicide.
The internet has made this so much easier and social networks have made it so much simpler for someone in just a rage-fueled moment to share those sort of images with everybody who you know.
And ghastly. And as a consequence, people have obviously been very traumatized. In the worst cases, people have even committed suicide.
Because the problem is, how do you stop the pictures, right, from someone else posting them? How does a social network actually find it and get rid of them?
Well, yeah, I mean, if you were to go to the social network, how are they going to stop it?
And meanwhile, everybody at your school for instance, has seen these photos and you feel you can't go there anymore. Horrible, horrible thing.
Well, Facebook is one company which is trying to take a stand against this.
For some time, you've been able to report image-based abuse on Facebook, and we'll put a link in the show notes so you can read more about that.
If you spot some images of you or video of you which shouldn't be being shared.
And meanwhile, everybody at your school for instance, has seen these photos and you feel you can't go there anymore. Horrible, horrible thing.
Well, Facebook is one company which is trying to take a stand against this.
For some time, you've been able to report image-based abuse on Facebook, and we'll put a link in the show notes so you can read more about that.
If you spot some images of you or video of you which shouldn't be being shared.
So yeah, you have to find it and then send a link, I guess.
Exactly. And I would imagine in many cases when it is being shared with people you know, you do get to find out.
Yeah, you get a heads up pretty quickly. Exactly, I bet.
Someone's going to say, I think you should, you know, know about this. But what Facebook's now trying to do is it's trying to be a bit more proactive about it.
And so they're running a small test in Australia.
And this is what got everyone's attention in the press where— and some of the press presented this as upload all your naked photos to Facebook and then they will try and prevent them from being posted and shared anywhere on Facebook Messenger and Instagram.
And understandably, a lot of people got pretty irate about that. And so what are you talking about, Mark Zuckerberg?
What a perv, you know, that people might want to do those sort of things.
And so they're running a small test in Australia.
And this is what got everyone's attention in the press where— and some of the press presented this as upload all your naked photos to Facebook and then they will try and prevent them from being posted and shared anywhere on Facebook Messenger and Instagram.
And understandably, a lot of people got pretty irate about that. And so what are you talking about, Mark Zuckerberg?
What a perv, you know, that people might want to do those sort of things.
I do have a problem with this. So I think you should, you know, do your bit and then we'll discuss it. Yeah.
So what they've— I mean, it's a difficult problem to solve, isn't it? But clearly Facebook already has systems in place to detect, for instance, child sexual abuse images. Right.
Because they don't want people uploading that sort of thing and sharing them on the network.
And so what they have is a database of fingerprints or checksums, if you like, which can identify offending images and videos. And they store that database.
So they don't store the images. What they do is that they have a database of checksums and fingerprints, I think would be the probably the best way to describe them.
And what they're trying to do is they're trying to expand that and say, look, maybe we can use this as well against image-based abuse against adults too.
So what they're saying is, If you have an image or if you have videos or if you believe that someone is going to start sharing images of you, then there's a process you can go through to basically tip us off and for us to keep an eye open and to try and prevent it from happening.
Because they don't want people uploading that sort of thing and sharing them on the network.
And so what they have is a database of fingerprints or checksums, if you like, which can identify offending images and videos. And they store that database.
So they don't store the images. What they do is that they have a database of checksums and fingerprints, I think would be the probably the best way to describe them.
And what they're trying to do is they're trying to expand that and say, look, maybe we can use this as well against image-based abuse against adults too.
So what they're saying is, If you have an image or if you have videos or if you believe that someone is going to start sharing images of you, then there's a process you can go through to basically tip us off and for us to keep an eye open and to try and prevent it from happening.
So, for example, if a specific image is sent of someone.
Yes.
You would be having to look for that specific image online. It wouldn't be 'Let's send us pictures of you and any picture of you that we feel has too much skin.' Oh no, no, no, no.
So it's not, for instance, using Facebook facial recognition as far as I'm aware or something like that.
So it's not asking you, 'Hey, upload your holiday snaps,' or, you know, 'When you were out on the club the other night.' It's nothing like that.
So it's not asking you, 'Hey, upload your holiday snaps,' or, you know, 'When you were out on the club the other night.' It's nothing like that.
That's what I thought it was going to be, that you would send pictures of your armpit and say, 'If you see this armpit in any pictures, don't share them with us.' John, I think we could identify your armpit.
Well, probably, yeah. Without any sophisticated technology.
But this is based on specific images or the hashes of specific images.
Yes, although I've heard it's not actually a sort of typical cryptographic checksum of an image because of course images can be resized, images can be altered.
Stick a little logo in the corner or something.
Or put some message on or, you know, had some sort of headline saying, hey, look at Sheila or something like that, which would change the contents of the image.
So what they're trying to do is that they're using some smarter algorithms apparently to try and identify, I guess, the body or the shape or something.
So even if it's resized and altered in different fashions, they can still detect it and intercept it and prevent it from being shared.
So what they're trying to do is that they're using some smarter algorithms apparently to try and identify, I guess, the body or the shape or something.
So even if it's resized and altered in different fashions, they can still detect it and intercept it and prevent it from being shared.
So I think the intention is very good, but here's where I've got a few problems.
All right.
One, you have to make sure you trust Facebook and Facebook is going to do what it says it's going to do, and it's going to make sure that this doesn't get out in any way.
Now, I realize they're hashing it and they're using all kinds of algorithms.
However, you are sending them a nude pic of you, one that you do not want online, one that you want removed from the internet.
Now, I realize they're hashing it and they're using all kinds of algorithms.
However, you are sending them a nude pic of you, one that you do not want online, one that you want removed from the internet.
Well, do you actually have to send them the pic? Can you not just do the hashing yourself and send them the hashes?
So how it works is like this.
Right now, as I said, the scheme has only been run in Australia, and you can go to the eSafety Commissioner's official website, so not a Facebook website, and complete an online form.
Right now, as I said, the scheme has only been run in Australia, and you can go to the eSafety Commissioner's official website, so not a Facebook website, and complete an online form.
And that's an Australian kind of authority?
Yes.
Okay, right, right, right.
You can complete the form and that gives you instructions.
And what it's saying is that you have to send the image to yourself on Facebook Messenger, so you don't send it to any other Facebook users.
The eSafety Commissioner, which is the place where you've entered this form, they notify Facebook about what has happened, but they don't get to see the image.
And what it's saying is that you have to send the image to yourself on Facebook Messenger, so you don't send it to any other Facebook users.
The eSafety Commissioner, which is the place where you've entered this form, they notify Facebook about what has happened, but they don't get to see the image.
Okay.
Facebook gets to see the— gets the notification, and a member of Facebook's team, and they describe it as a specially trained representative, who will review the image create the fingerprint, which creates the human-unreadable fingerprint of it, and they store that fingerprint, that hash.
They don't store the photograph to prevent anyone else from viewing it. And that obviously prevents in future anyone else uploading the photograph to the service.
They don't store the photograph to prevent anyone else from viewing it. And that obviously prevents in future anyone else uploading the photograph to the service.
Okay, I got you. But I'm with John on this. I think, why does a human have to do— create the fingerprint? Why couldn't it be created automatically at your end?
Well, it sounds like there's some kind of special skill required, I guess, Well, drawing an outline around the relevant part of the person or something.
Well, who knows? I mean, we don't have details of exactly that. It may be complicated. And of course, Facebook isn't in the business normally of creating programs, is it?
It creates a website. So that may not be their expertise. It may be something which they want to regularly update, the algorithms and so forth.
And at the moment, this is something which has just been done as a trial.
So maybe if they decide, you know, this worked really well and we want to do more of this, maybe we want to roll it out over the rest of the world.
Maybe in future there will be something like that which could actually be built into the software. Who knows? It's possible. But right now that isn't happening.
And of course, there is the potential that a Facebook employee might see something which you don't want to see.
But then I think if you find yourself in that desperate situation where all of your schoolmates or your family or whoever might get to see things which you don't want them to see, then you may think, I don't care if some anonymous Facebook employee who doesn't know me gets to see this.
You know, it's not pleasant, but then you're not in a nice situation anyway.
It creates a website. So that may not be their expertise. It may be something which they want to regularly update, the algorithms and so forth.
And at the moment, this is something which has just been done as a trial.
So maybe if they decide, you know, this worked really well and we want to do more of this, maybe we want to roll it out over the rest of the world.
Maybe in future there will be something like that which could actually be built into the software. Who knows? It's possible. But right now that isn't happening.
And of course, there is the potential that a Facebook employee might see something which you don't want to see.
But then I think if you find yourself in that desperate situation where all of your schoolmates or your family or whoever might get to see things which you don't want them to see, then you may think, I don't care if some anonymous Facebook employee who doesn't know me gets to see this.
You know, it's not pleasant, but then you're not in a nice situation anyway.
Yeah.
Well, putting in that human element makes it much less scalable as well. That's another issue to think about that.
I don't know how big a thing this is, but if it's affecting tens of thousands of people.
I don't know how big a thing this is, but if it's affecting tens of thousands of people.
Yeah. And how long does it take for each specially trained representative to deal with each image?
Who knows?
I mean, Facebook, we know in the past when they've had people who have been reviewing controversial content, sometimes they've made bad decisions.
And obviously, there is an enormous amount of that kind of policing and moderation which is going on on Facebook. It often has been less than satisfactory, I think.
And obviously, there is an enormous amount of that kind of policing and moderation which is going on on Facebook. It often has been less than satisfactory, I think.
Yeah, I've read a few articles on this, not in detail, right, but kind of scanned a few articles, and I don't think I got a proper understanding of what was going on.
So you are not having to upload any picture other than the one that's currently on Facebook doing the rounds that you want removed.
So you are not having to upload any picture other than the one that's currently on Facebook doing the rounds that you want removed.
Or the one which you're worried might be distributed.
Or the one that you might— yeah, yeah. So you're saying watch out for this.
And even then, you are sending it via Facebook Messenger to yourself.
Right, right. You're not posting it to your wall.
Yeah, you're not putting it up on your timeline or something like that.
Yeah, make sure. Yeah, you can see someone screwing that one up.
I think there's been lots of sort of joke. I mean, you know, I am not the biggest fan of Facebook, right? And I'd be the first to slag them off normally.
But I actually think, although some have raised their eyebrows about this, I think actually this is probably, you know, we should give them some credit for at least trying to do something about a serious problem which has affected many people.
But I actually think, although some have raised their eyebrows about this, I think actually this is probably, you know, we should give them some credit for at least trying to do something about a serious problem which has affected many people.
Yeah, well, they should do something about it. I mean, it's illegal.
It's just the scale of it. That's the problem. There's so much stuff on Facebook. There's no possible way that anybody can control it.
Wouldn't it be great if in order to use Facebook, you actually had to have a hardware plugin?
So you had to have something which was plugged into your computer and maybe it would be like a big boxing glove, which would extend out at you.
So anytime you were a bit of a twit online or just some vile toe rag, it went into your face and gave you a good punch on the nose.
That I think is what computers are missing right now. And maybe that would solve this problem. TM it, Graham. TM it. Hey, not just on the nose.
Maybe it could punch you somewhere else as well.
So you had to have something which was plugged into your computer and maybe it would be like a big boxing glove, which would extend out at you.
So anytime you were a bit of a twit online or just some vile toe rag, it went into your face and gave you a good punch on the nose.
That I think is what computers are missing right now. And maybe that would solve this problem. TM it, Graham. TM it. Hey, not just on the nose.
Maybe it could punch you somewhere else as well.
The back of the head.
So, John, what have you got for us this week?
So I'm going to be staying in the sexual area. I know that's a common theme of this show.
Why am I not surprised for you, John?
We're scraping the barrel now.
Well, no, it's a fairly big story this week. Yet another privacy boob in the intimate tech industry. You had to really, didn't I? So a company called Lovense.
We've talked about them before.
Yes. Well, yes, I'll come to that. So they're a Hong Kong-based maker of what they call wearable toys.
All right.
Okay.
They're also very fond of the term teledildonics, obviously, who isn't? And they use it a lot on their website.
So they've admitted, well, what they call a minor bug in their Android app, which basically resulted in sound recordings being captured while the app was in use and stored on your phone's local storage.
So they've admitted, well, what they call a minor bug in their Android app, which basically resulted in sound recordings being captured while the app was in use and stored on your phone's local storage.
You are kidding me.
Sorry, what kind of app is this, John?
So it's basically a remote control app for their full range of wearable toys.
So this is a sex thing, right?
So it's to, yeah, it's basically to allow you to control your vibrator or whatever it is you're using.
I think the sound portion of it is mainly so that you can time the vibration to go along with whatever music you're listening to or something like that.
I think the sound portion of it is mainly so that you can time the vibration to go along with whatever music you're listening to or something like that.
Apparently, I don't know, it's not something I've tried out. What, the 1812 Overture or something like that?
Yeah. Yeah, that would work nicely. So I think you can connect kind of two copies of the app. So someone else in a different room or time zone can interact with your machine.
Right. And they were recording the sound.
Yeah. So this guy, some guy on basically on Reddit, where everything comes from, by the nickname Thai doctor.
So he was cleaning up his phone and he stumbled across this audio file that he hadn't expected to be there.
And it turned out that it was a 6-minute recording of his session using the Lovense remote app.
So he was cleaning up his phone and he stumbled across this audio file that he hadn't expected to be there.
And it turned out that it was a 6-minute recording of his session using the Lovense remote app.
No way.
6 minutes, eh? And he calls himself a doctor. You'd think he'd—
I'm not sure Reddit nicknames are official medical titles.
So apparently it's a cache file that the app uses to store the sound that it needs to monitor to make use of the sound features.
And it was supposed to be deleted at the end of the session. But this bug meant that it wasn't actually deleting it.
So apparently it's a cache file that the app uses to store the sound that it needs to monitor to make use of the sound features.
And it was supposed to be deleted at the end of the session. But this bug meant that it wasn't actually deleting it.
This tiny bug, minor bug, they call it.
Minor bug, minor bug, yes.
Quote unquote, right. Well, why was it storing the audio anyway? I don't understand that. Why? I can understand maybe if it wanted—
Maybe for repeat performances? That was good. That was a great one.
Let's reminisce. Here we are listening to classic Gold tunes from the '70s and '80s.
That could easily be a feature, you know, if you set it up to listen to the radio and a particular song's come on and you thought, oh, actually, I quite like that rhythm.
Can I use that again sometime? You need it to have recorded the last 6 minutes or whatever.
Can I use that again sometime? You need it to have recorded the last 6 minutes or whatever.
I think go and find the song.
You can recycle. You know? Well, yeah, that would be a—
Wow. So people must have been really unhappy. That is—
Well, actually not that much.
Oh, really? This is their claim to fame?
Well, first of all, it's not the first time this, as you mentioned, Lovense has been in the news for poor security.
It was only about a month ago, their Hush, it was called, Bluetooth-controlled bottom pleasuring devices.
So they were using the Bluetooth Low Energy, which is very cheap and efficient, but also very poor security.
So it was pretty easy for anybody that was in the vicinity to hijack the—we talked about this as well.
It was only about a month ago, their Hush, it was called, Bluetooth-controlled bottom pleasuring devices.
So they were using the Bluetooth Low Energy, which is very cheap and efficient, but also very poor security.
So it was pretty easy for anybody that was in the vicinity to hijack the—we talked about this as well.
Yeah, I'm sure you did.
Right up your alley, so to speak. And there's also, there's another incident, was this back in August? A Canadian firm who make a WeVibe device.
Yeah, they had to pay out $4 million in a, to settle a class action lawsuit. So their toys and apps were gathering too much sensitive data.
Not malware, but they were actually sending feedback to the developers. This is WeVibe, which included the temperature levels and vibration intensity.
And also they similarly had, they were using Bluetooth and were very easy to hijack by anyone nearby.
So Lovense, this particular case is about, so they've said that no data was being sent to their servers. Everything sent between the users is peer-to-peer, is encrypted in transit.
And they did say, yes, the cache file is required for the sound feature to operate. And they've issued an update, obviously. They actually had a look at their website.
They have some pretty reasonable privacy advice and they mentioned the encryption.
They mentioned not storing things centrally, but they also note it would be nearly impossible for someone to obtain any of the content that's happening on our platform.
So it's "nearly" very important.
Yeah, they had to pay out $4 million in a, to settle a class action lawsuit. So their toys and apps were gathering too much sensitive data.
Not malware, but they were actually sending feedback to the developers. This is WeVibe, which included the temperature levels and vibration intensity.
And also they similarly had, they were using Bluetooth and were very easy to hijack by anyone nearby.
So Lovense, this particular case is about, so they've said that no data was being sent to their servers. Everything sent between the users is peer-to-peer, is encrypted in transit.
And they did say, yes, the cache file is required for the sound feature to operate. And they've issued an update, obviously. They actually had a look at their website.
They have some pretty reasonable privacy advice and they mentioned the encryption.
They mentioned not storing things centrally, but they also note it would be nearly impossible for someone to obtain any of the content that's happening on our platform.
So it's "nearly" very important.
Well, at least they're honest. Yeah.
So I also, I looked on the Google Play Store and there was indeed an update yesterday.
And there's also several commenters who've noted the sound recording issue, but they're not all too concerned.
One review actually says, apparently this app records "creepy." But he still gave it 3 stars.
And there's also several commenters who've noted the sound recording issue, but they're not all too concerned.
One review actually says, apparently this app records "creepy." But he still gave it 3 stars.
Okay, great.
Yeah.
There's a general problem here, though, isn't there?
I mean, regardless—I mean, okay, this is a sex toy or whatever, but with any app, you have to be very careful because you don't necessarily know either what it's doing or what it might be storing and how securely it's keeping the information as well.
I mean, regardless—I mean, okay, this is a sex toy or whatever, but with any app, you have to be very careful because you don't necessarily know either what it's doing or what it might be storing and how securely it's keeping the information as well.
It'd be smarter to be English about it and just say nothing during the experience.
If you've given an app permission to use the microphone on your phone, you kind of have to assume that it's listening and that probably that is sending that sound somewhere else, or at least doing some kind of processing with the sound.
And the same goes for these speakers that you speak back to.
And the same goes for these speakers that you speak back to.
Everyone would be wise to go to their phones right now and just check the microphone setting to see what apps have access to your microphone and toggle off those that you would prefer not to have to listen to all the time.
Yeah. And just be aware that, you know, if you're near one of these microphones, even the, you know, Amazon Echo things or whatever, they're listening. You're not in private.
And even if you've just got a phone in your pocket, you're not in private.
And even if you've just got a phone in your pocket, you're not in private.
Well done, Carl, for using the word toggle, which is one of the least sexy words in the English language.
I love the word toggle.
No, I love it as well, but not in a sexual way.
It's quite cuddly.
It just reminds me of Paddington Bear.
Yeah, well, some people find that—
Yeah, perverts love that.
Perverts.
The perverts community.
Don't talk about pervertism. The new Paddington Bear movie is about to come out or is out. You know, we might be taking my kid to go and see it.
I don't want to think about things like that. Okay.
I don't want to think about things like that. Okay.
Well, too late.
Watch out for people engaging in discreet public play. That's one of the features of the Lovense range. They facilitate discreet street public play.
Actually, the guy on Reddit who brought it up, he said he was playing pool in a bar when the recording was made.
Actually, the guy on Reddit who brought it up, he said he was playing pool in a bar when the recording was made.
Oh, be careful with that pool stick.
Yeah.
Oh, so it allows men to multitask. Is that what you're saying?
Oh, yes.
God. Maybe something good will come out of all this.
Carole, I'm hoping you can raise the tone. Well, I can't do a little.
A little.
Unlikely.
A little. So I'd like to tell the story of how a Minnesota— a certain man named John Kelsey Gammell became known as John Kelsey Gammell.
Oh, okay.
Yeah. Became known as, okay, cover your ears, kids, Mr. Cunnius.
Oh, there we go.
Oh my God. And okay. And was arrested by the FBI for launching multiple distributed denial of service attacks on companies, including his former employer, Washburn Computer Group.
So let me get started at the beginning.
The FBI got wind of something fishy going on when Washburn Computer Group, Gammell's former employer, reported getting hit by numerous DDoS attacks on their websites between July 2015 and September 2016.
Right? So they called the FBI and they're saying, look, we're getting hit all the time.
So let me get started at the beginning.
The FBI got wind of something fishy going on when Washburn Computer Group, Gammell's former employer, reported getting hit by numerous DDoS attacks on their websites between July 2015 and September 2016.
Right? So they called the FBI and they're saying, look, we're getting hit all the time.
Our websites keep going down.
Our websites keep going down. This is a problem.
Right?
Right. And during this time, Washburn, the company, received emails mocking the company's ongoing IT issues.
Now, the sender of these mocking emails had created Google and Yahoo accounts, and rather than use an anonymous name, he actually used the name of another employee at Washburn.
So the FBI— so this is how it all works— the FBI subpoenaed Google and Yahoo for the detailed logs of these email accounts, and guess what?
They found a direct link to Gammell's CenturyLink IP address and IPVanish VPN service.
Now, the sender of these mocking emails had created Google and Yahoo accounts, and rather than use an anonymous name, he actually used the name of another employee at Washburn.
So the FBI— so this is how it all works— the FBI subpoenaed Google and Yahoo for the detailed logs of these email accounts, and guess what?
They found a direct link to Gammell's CenturyLink IP address and IPVanish VPN service.
So basically, they got a tie between Gammell and these emails that were being sent mocking them for their ongoing IT issues. Now, let's just back up a bit.
So Gammell used to work at this company, and then he left and set up his own kind of soldering training company, and I think was looking to try and get a deal to kind of do training for Washburn, and it all fell flat.
So Gammell used to work at this company, and then he left and set up his own kind of soldering training company, and I think was looking to try and get a deal to kind of do training for Washburn, and it all fell flat.
There are soldering training companies?
Apparently there is.
Well, someone has to teach people how to solder.
Yeah, you don't learn your— I mean, people can probably learn off Google, but you know, why not get hands-on?
All right, I'm surprised.
So he had a motive is what I'm saying. He was, sounds like he was pissed off that the deal between them didn't work after he set up his own company.
So the FBI now have a probable cause to subpoena Google for Gamal's official Gmail address, and they get the information and they find some treasure, including registration emails and pro account purchases for a number of DDoS booter services, such as Sea Stress and BooterBox and VDoS.
Now, booter services are this kind of rent-a-DDoS web attack. It's DDoS-for-hire services. Now, this is where Gammill gets extremely unlucky.
One of the DDoS booter services Gammill registered with, so VDoS, suffered a cyber breach last summer, in summer of 2016.
And a security researcher, presumably working on cleaning up the DDoS incident, handed over all the DDoS logs to the FBI.
So the FBI now have a probable cause to subpoena Google for Gamal's official Gmail address, and they get the information and they find some treasure, including registration emails and pro account purchases for a number of DDoS booter services, such as Sea Stress and BooterBox and VDoS.
Now, booter services are this kind of rent-a-DDoS web attack. It's DDoS-for-hire services. Now, this is where Gammill gets extremely unlucky.
One of the DDoS booter services Gammill registered with, so VDoS, suffered a cyber breach last summer, in summer of 2016.
And a security researcher, presumably working on cleaning up the DDoS incident, handed over all the DDoS logs to the FBI.
Oh, nice.
So when the FBI saw DDoS mentioned in Gammill's official Google email communications, they probably had this big light bulb moment, found the old DDoS logs, and performed the art of cross-referencing.
And here the FBI were able to unveil that Gamal was likely to be behind a load of DDoS attacks on servers belonging to companies like Wells Fargo, JPMorgan Chase, and the one he might regret most, Minnesota Digital Branch.
And here the FBI were able to unveil that Gamal was likely to be behind a load of DDoS attacks on servers belonging to companies like Wells Fargo, JPMorgan Chase, and the one he might regret most, Minnesota Digital Branch.
Oops.
Yeah.
Oh, the court.
Yep, his local court.
Oh, whoops.
And can you guess what one of his usernames on the VDoS site was?
I'd rather not.
Yeah, because it is a bit adult.
Was it Senor Canaleaks again?
So the email logs even showed that Gamal sent a congratulatory email to VDoS to tell them that their service had outperformed his expectations.
It starts with, dear colleagues, this is Mr. 'You underestimate your capabilities.' And he ends with, 'We will do much business. Thank you for your outstanding product. Smile emoji.
It starts with, dear colleagues, this is Mr. 'You underestimate your capabilities.' And he ends with, 'We will do much business. Thank you for your outstanding product. Smile emoji.
We are Anonymous USA.' Did he also give them 3 stars like the guy on the Google Play?
He sounds like that email. By the way, this story came from Bleeping Computer, and there's a load more information there. So I suggest anyone interested in the story, go take a read.
It's a really good story. So it's true that apparently in a number of his emails, he, Gamal, has claimed to be a member of Anonymous, the hacker collective. Our Mr.
Cannabis was arraigned in a Minnesota court this week. Washburn said that it suffered losses of over $15,000, which I was surprised that there wasn't a zero missing, but there—
It's a really good story. So it's true that apparently in a number of his emails, he, Gamal, has claimed to be a member of Anonymous, the hacker collective. Our Mr.
Cannabis was arraigned in a Minnesota court this week. Washburn said that it suffered losses of over $15,000, which I was surprised that there wasn't a zero missing, but there—
Maybe it does, you don't make that much money, you know, offering soldering training.
Well, they do, I think, point of service repairs.
Oh, I see. They do all kinds of— Oh, I see.
Yeah, yeah.
Anyway, it's entirely through the website, I guess.
Get this. According to local press, Gamal faces between 15 and 17 years in prison for his little revengeful attack.
Well, that's actually quite reasonable for America. It's usually sort of 175 years, isn't it? Or 3 lifetimes to run consecutively.
Yeah, but, you know, it goes to show that revenge doesn't always pay off in any good way.
Well, does it ever really pay off?
I don't think revenge is ever a good thing.
I can understand people feeling really miffed and feeling they've been hard done by by someone they used to work with and the rest of it. And you just want to get my own back.
But do you ever really get that? Oh, well, I'm very satisfied with my revenge. I'll now move on with my life. I think it's just—
But do you ever really get that? Oh, well, I'm very satisfied with my revenge. I'll now move on with my life. I think it's just—
Yeah.
Take a deep breath, folks.
Yep. Take a deep breath and go on a holiday. Go get a massage.
Get over it.
All right. It's time for our favorite part of the show, isn't it? Our sponsors.
Are you worried that your website might be the backdoor through which hackers can access your information and steal data? Well, if so, you'll be interested in our sponsor today.
NetSparker is a web application security scanner. It can automatically quickly find the flaws in your website security and fix them before hackers can exploit them.
You can try it out right now. Download a demo from www.netsparker.com/smashing. On with the show.
NetSparker is a web application security scanner. It can automatically quickly find the flaws in your website security and fix them before hackers can exploit them.
You can try it out right now. Download a demo from www.netsparker.com/smashing. On with the show.
Doo doo doo.
And we're now at that part of the show we like to call Pick of the Week.
Pick of the Week. John?
Pick of the Week.
Indeed.
So what we do in Pick of the Week is everyone chooses something that they like.
Could be a funny story, a book that they've read, something interesting, TV show, movie, record, app, website, podcast, whatever. It doesn't have to be security related necessarily.
It could be about absolutely anything at all. But my pick of the week this week is something a little bit useful.
Could be a funny story, a book that they've read, something interesting, TV show, movie, record, app, website, podcast, whatever. It doesn't have to be security related necessarily.
It could be about absolutely anything at all. But my pick of the week this week is something a little bit useful.
Finally.
But it's not going to be useful to you. If you actually use it. Oh, it's going to be useful to other people after you're dead.
Oh, that's an unusual pick of the week.
It is. Google's Inactive Account Manager. There are other sites which have something this, but Google is so widely used, I thought this was a good one to highlight.
Do you think they'd have a better SEO name, Google's Death Manager or something? No one's going to Google Inactive Account Manager, will they?
They don't want to talk about death, I think. That was my feeling when I was reading all about this.
Jeez.
But what it is, right, is at the moment, so much of your life exists on Google, maybe on Google Drive or your Google email, or maybe your Google-run Blogger account, or, you know, whatever it is.
And what are you going to do when you're no longer around? How are your loved ones going to handle it? Now, you might want all that information to be deleted once you've gone.
Or you might want to hand some of it over to someone else to look after.
And what are you going to do when you're no longer around? How are your loved ones going to handle it? Now, you might want all that information to be deleted once you've gone.
Or you might want to hand some of it over to someone else to look after.
All right?
And I think it's worth us thinking about this before we do indeed, you know, kick the bucket, as it were.
So you're not going to be thinking about it afterwards.
Let me explain how it works.
Exactly.
You never know.
What you can do with your Google account is you can go to the Inactive Account Manager and you can say, look, if I haven't used my account for maybe 3 months, 6 months, or maybe a year or something that.
What? A year?
Yeah. What's wrong with that?
Okay.
Well, okay, carry on. Give me, give me—
Then there's once-a-year Gmail users.
Basically, you might be in a plane, right, which crashes in the Andes, and it takes you a long time to come home.
Or you might be on a rubber dinghy in the middle of the Atlantic waiting for someone to pick you up for months on end.
Or you might be on a rubber dinghy in the middle of the Atlantic waiting for someone to pick you up for months on end.
Presumably you're not giving your Google account to someone you don't like.
Or maybe you've, you know, gone to prison for some sort of offense like launching a DDoS attack or something like that. Who knows what it is, right?
But anyway, the thing is that for Google to decide your account is inactive, you have to decide what the timeout period is, the period of inactivity that must occur before it assumes you've gone a clunker.
So what you do in advance is you set up your trusted contacts.
You tell Google, these are the people I want you to tell if I haven't been active on my account and who do I want you to alert?
And you have to give it a phone number as well for these people because they don't simply want to rely on those people's email addresses in case their email address is actually compromised.
And you can decide which bits of the Google universe you want to share.
So you might decide, well, I do want to share my contacts, but I don't want to share my email, for instance, right? If only to invite people to the memorial or something like that.
But anyway, the thing is that for Google to decide your account is inactive, you have to decide what the timeout period is, the period of inactivity that must occur before it assumes you've gone a clunker.
So what you do in advance is you set up your trusted contacts.
You tell Google, these are the people I want you to tell if I haven't been active on my account and who do I want you to alert?
And you have to give it a phone number as well for these people because they don't simply want to rely on those people's email addresses in case their email address is actually compromised.
And you can decide which bits of the Google universe you want to share.
So you might decide, well, I do want to share my contacts, but I don't want to share my email, for instance, right? If only to invite people to the memorial or something like that.
So you're saying to me, right, if you kick the bucket, Graham, and you sign up—
Can we have a moment of silence for that?
And you set this up and I am down as a trusted contact.
As if.
So if you set it up for 3 months, I have to wait 3 months to get your contact list to invite your friends and your chess buddies and your Doctor Who buddies to your funeral?
Because I don't know who they are.
Because I don't know who they are.
Yeah.
And also if somebody dies and you have a memorial service for them and a funeral, then you mourn and things like that.
And then suddenly 6 months later you get a phone call from Google saying, oh, we think Dave might be dead. That's, you know, that's going to kind of bring up all those bad memories.
And then suddenly 6 months later you get a phone call from Google saying, oh, we think Dave might be dead. That's, you know, that's going to kind of bring up all those bad memories.
It might. All right. But this is the choice of the person who's died, right? They decide whether this happens.
But certainly I can imagine plenty of scenarios where people would want this information to be shared with their nearest and dearest.
And yes, maybe a little bit upset, but maybe after 3 months you'd be able to cope a little bit better with it.
But certainly I can imagine plenty of scenarios where people would want this information to be shared with their nearest and dearest.
And yes, maybe a little bit upset, but maybe after 3 months you'd be able to cope a little bit better with it.
And I like the one, the LastPass approach. They have a similar kind of emergency access system.
So I think you basically set up a trusted person and then they have to request access and you could set a timeout to say, okay, so if my wife tries to access my LastPass and says it's an emergency, it sends me a message.
And if I don't respond within that time, it assumes that I'm dead or incapacitated or in a Turkish prison.
Allows them access rather than just waiting and then suddenly starting spamming people.
So I think you basically set up a trusted person and then they have to request access and you could set a timeout to say, okay, so if my wife tries to access my LastPass and says it's an emergency, it sends me a message.
And if I don't respond within that time, it assumes that I'm dead or incapacitated or in a Turkish prison.
Allows them access rather than just waiting and then suddenly starting spamming people.
So what do you, do you on LastPass say that your partner is the person who can request this?
So you set them up as the trusted person and then they have to request it because I can't get in for whatever reason.
And then I set that the time to say, okay, if give, give me 24 hours in case I'm not in prison.
And then I set that the time to say, okay, if give, give me 24 hours in case I'm not in prison.
Oh, I think I'd want a bit longer than 24 hours.
Yeah, well, you can, yeah, it's quite flexible. I think you can.
Yeah, yeah, Graham wants 3 months. He's going to be sitting on ice while we're sorting out everything. I'm going to be Walt Disney. I'm going to be cryogenically suspended.
I don't know why I assume you're going to die before me. I'm sure that's not the case.
I don't know why I assume you're going to die before me. I'm sure that's not the case.
I am older than you.
Yeah, I know.
And you're a bit fitter than me.
Definitely.
Carole, what's your— Oh no. John, what's your pick of the week?
Ah, okay. Well, so this week I have been enjoying wood quite a lot.
Oh, based after this episode. Is that appropriate?
What? Hey, calm down. No, no, I've been enjoying woodworking out in my shed.
Ah, yes.
So I discovered that those nice cardboard boxes that you get wine shipments in with the little cardboard dividers, yes, they work very well to store your wine in a kind of vertical stacking system, only until you take one of the lower bottles out and then the whole thing collapses because cardboard's not that strong.
So I thought I'll pop out into my shed and I will knock something up out of bits of wood that I have lying around. I have lots of kind of scraps and recycled, reclaimed things.
I thought that'll be it, make a nice little wine rack.
So I've been tinkering away, and one of the things it's reminded me of is I have some very, very lovely tools, thanks to my very, very kind in-laws, from a Canadian store called Lee Valley Tools.
And these guys make quite beautiful, you know, they're lovingly crafted, hardwearing, and very classical looking stuff.
So I thought I'll pop out into my shed and I will knock something up out of bits of wood that I have lying around. I have lots of kind of scraps and recycled, reclaimed things.
I thought that'll be it, make a nice little wine rack.
So I've been tinkering away, and one of the things it's reminded me of is I have some very, very lovely tools, thanks to my very, very kind in-laws, from a Canadian store called Lee Valley Tools.
And these guys make quite beautiful, you know, they're lovingly crafted, hardwearing, and very classical looking stuff.
Yeah. What kind of tools do you have?
Planes, and I have a lovely set of chisels. I have some Japanese pull saws, which are very useful for kind of fine little cutting work. But yeah, and they're very good looking.
They don't just make that kind of traditional classical stuff. They have lots of inventive gadgets and gizmos. With new ideas as well.
And they have kitchen things as well as kind of woodworking stuff, and they ship internationally.
They don't just make that kind of traditional classical stuff. They have lots of inventive gadgets and gizmos. With new ideas as well.
And they have kitchen things as well as kind of woodworking stuff, and they ship internationally.
I know the shop, being Canadian, I know it, and it's, it is a pretty cool—
It's quite a big chain.
Yeah, it's quite a cool store. It's got a lot of cool stuff in it.
Yes.
So I, my pick of the week is for anybody that's interested in woodworking or has a friend that's interested in woodworking or just wants a stunning plane to sit on their mantelpiece as a decoration, you know, pop to Lee Valley.
They ship internationally. It's a great, great website.
So I, my pick of the week is for anybody that's interested in woodworking or has a friend that's interested in woodworking or just wants a stunning plane to sit on their mantelpiece as a decoration, you know, pop to Lee Valley.
They ship internationally. It's a great, great website.
Cool.
And if you can go to the actual shop, it's even nicer.
Something's going on. All right, Archie, calm down. Sit down.
Well, it's great to know, John, that while you're whittling away in your shed, you've got such fine equipment in your hands.
Well, it's great to know, John, that while you're whittling away in your shed, you've got such fine equipment in your hands.
Okay, that's a weird sentence.
That's, that's, yes.
Just keeping the tone going.
Yes, exactly.
Theme of the show. Carole, what's your pick of the week?
Well, my pick of the week is for kids.
Now Christmas is coming and, you know, we're all thinking of what to get kids in our lives, but wouldn't it be great to give them something that they love that also teaches them something super valuable?
Now Christmas is coming and, you know, we're all thinking of what to get kids in our lives, but wouldn't it be great to give them something that they love that also teaches them something super valuable?
Mm-hmm.
So here's a really cool gift idea for budding engineers. It's not new, but it's certainly tried and tested and great.
I bought these for my niece and nephew a few years ago, and they went down a storm. And what I'm talking about is Snap Circuits from Elenco Electronics.
These are color-coded electronic kits for kids aged 8 and above.
And with Snap Circuits, kids can build hundreds of different projects like mini motors and speakers and lamps and doorbells and burglar alarms and all sorts of stuff.
And it's really, really fun. The pieces are really good quality. They have a really satisfying snap when you put them into place.
And it's a really great way to introduce kids to electronics.
And you know what, you might just learn a little bit more if you're not really au fait with the ins and outs of electricity.
I bought these for my niece and nephew a few years ago, and they went down a storm. And what I'm talking about is Snap Circuits from Elenco Electronics.
These are color-coded electronic kits for kids aged 8 and above.
And with Snap Circuits, kids can build hundreds of different projects like mini motors and speakers and lamps and doorbells and burglar alarms and all sorts of stuff.
And it's really, really fun. The pieces are really good quality. They have a really satisfying snap when you put them into place.
And it's a really great way to introduce kids to electronics.
And you know what, you might just learn a little bit more if you're not really au fait with the ins and outs of electricity.
I'm looking at a video right now of some of this stuff. It looks really cool.
It's great. It's really fun. And projects can— some projects can take a few hours or half an hour. So they have different levels.
And there's— if you go to the website, there's tons and tons of different Snap Circuit sections you can buy.
Now, the one thing I would warn is not to buy directly from the website because they don't have HTTPS. So maybe go to Amazon or other trusted online retailers to purchase them.
But I promise you won't be disappointed in either one of your picks. Or a physical shop.
And there's— if you go to the website, there's tons and tons of different Snap Circuit sections you can buy.
Now, the one thing I would warn is not to buy directly from the website because they don't have HTTPS. So maybe go to Amazon or other trusted online retailers to purchase them.
But I promise you won't be disappointed in either one of your picks. Or a physical shop.
Physical shops?
They exist.
Yeah, but they tend to have less of a range and it's kind of cool. And some of them even connect with your phone, right?
So you can actually test the circuitry using your iPhone or Android. It's pretty cool stuff.
So you can actually test the circuitry using your iPhone or Android. It's pretty cool stuff.
It does look really cool. I mean, there's like flashing bulbs and windmills going off and it looks very, very much fun. Very creative.
Imagine a kid could build a little burglar alarm to stop people from going into their stuff.
Very cool. Very cool.
Or a wearable toy.
John. Sorry. Well, I think that is as good a time as any to wrap up the show. Remember, you can follow us on Twitter @SmashingSecurity without a G. Twitter didn't let us have the G.
You can also join us on Facebook at smashingsecurity.com/facebook, or you can buy some swag at smashingsecurity.com/store.
Thank you very much, John, for joining me and Carole Theriault.
You can also join us on Facebook at smashingsecurity.com/facebook, or you can buy some swag at smashingsecurity.com/store.
Thank you very much, John, for joining me and Carole Theriault.
Thanks for having me.
Terrific to have you here.
Keep the tone so low. We love that.
Well, you know, I tried to fit in with the theme.
And if you know someone who might like the Smashing Security podcast, tell them about it. And you can go to smashingsecurity.com for the past episodes and to get in touch.
Until next time, cheerio. Bye-bye.
Until next time, cheerio. Bye-bye.
Thanks for listening, everyone. Thanks. Cheers.
Okay, there we go. Thank you, everybody.
Yeah.
Yeah.
I'm going to press Stop.
Press stop.
So, how does it get consent? Does it message you out of the blue and say "bob" is trying to publish an intimate picture of you? Do they show you the picture? What if it's not you? Then it would be Facebook spreading it. What if you're a twin?
How about more articles that say… don't allow others/self to take intimate pictures of you. Unless they're actual non/never digital images stored in a controlled safe place [and that's not even 100% safe], assume it'll eventually fall in the wrong hands.
My guess is that Facebook doesn't bother asking for consent.
If it determines the image is in its database of dodgy images it simply won't allow it to be uploaded to its servers.
We therefore have to trust the Facebook image matching algorithms! Mmmmm, judging by the way they seem to lose perfectly legitimate comments at random from the site (of which I have proof), I don't think I'd trust much of their software capabilities.
There is another phrase used instead of "revenge porn" – "image based sexual abuse". I'm guessing the media isn't using it as the "porn" part likely sells more copies for them.
Don't take nude photos. Problem, solved.
Yes, go ahead and upload your nude photos to Facebook. What can POSSIBLY go wrong?!
Did you see this thread by Alex Stamos, and the article linked there?
https://twitter.com/alexstamos/status/928740488395608065
It is something Facebook, any many organisations working with victims, have thought about very carefully. No solution is perfect, but if you're worried about your nudes being shared among your class mates, with your family or within your social circle, should you really worry about some anonymous person at Facebook also having access to your nudes?
Also, someone else made the good point that the use of "your" in many articles (including your blog) implies that this is something for the general public. It's for a very specific group of people, for whom this may be the least bad of all bad options.
Why does photo need uploading?
Surely like several firms on the market that use a Photoshop plugin to calculate fingerprint, it could actually be done in the browser or local utility?