Government websites hijacked by cryptomining plugin

This is a little stink pad. They had no computer power. You weren't controlling nuclear weapons from a laptop, Carole. And you know, if you're installing Angry Birds, yeah, maybe it's not that big a deal, is it? Sorry, do you understand? 1 petaflop! 1 petaflop is what I'm talking about.

And yet Facebook still runs really slow.

Smashing Security, Episode 65: Cryptominomania, Poppy, and Your Amazon Alexa with Carole Theriault and Graham Cluley. Hello, hello, and welcome to episode 65 of Smashing Security for the 15th of February 2018.

My name is Graham Cluley, and I'm Carole Theriault.

And Carole, we are joined today by a good friend of the show. She's been on several times before. By popular demand, it's our very own superhero, Maria Varmazis. Hello, Maria, welcome back to the show.

Hi, I'm not a superhero though, but that's very, very flattering.

You wouldn't admit it. You wouldn't admit, you know, Superman doesn't walk around saying, "I'm Superman." So.

I don't have my pants on outside of my, anyway.

You are a big Trekkie, right? You love—

Massive.

Yes. I mean, just I like the superior Doctor Who. You vastly superior. No, but you are equally a crazy Trekkie fan.

But I do love Doctor Who. I mean, I grew up watching Doctor Who as well. So, you know.

That actually makes you worse in my eyes because you watched it and yet you came to the conclusion that Trek was better. But anyway, we'll be right back.

Can't I love both? There's room in my heart for both.

No.

And I don't Star Wars, so it's okay.

Oh, well, it's for kids really, isn't it? We'll be right back after this break and after all the hate mail from the Star Wars fans. This episode of Smashing Security is sponsored in part by LastPass. Did you know that 81% of breaches are caused by weak passwords? Failing to protect them could be a costly mistake for you and your business. Every single password is one more entryway into your business. LastPass makes it easy to secure them all, giving insight into employee password behavior. Go to smashingsecurity.com/lastpass to see why LastPass is the trusted enterprise password manager of over 33,000 businesses.

Rapid7 is sponsoring Smashing Security. Rapid7's Insight IDR has been named a visionary in Gartner's latest SIEM Magic Quadrant. It is an intruder analytics solution that gives you the confidence to detect and investigate security incidents faster. You can download a 30-day trial by visiting rapid7.com/insightidr.

And welcome back. Well, in the last couple of years, I think we've all witnessed this huge rise of ransomware, haven't we? Where they're taking over computers, encrypting our important files, and then demanding that a cryptocurrency payment is made in order to get your files back. That has grown enormously. But what's interesting is that we're beginning to see something of a shift, maybe a move away from ransomware and much more crypto mining. In fact, I would to announce that we now live in an era of crypto-minomania. Crypto-minomania. Thank you.

it.

it.

Yeah.

So crypto mining, for anyone who doesn't know, maybe some people who listen to the show don't know what happens here. Maybe you go to a website or you run a program and in the background, without you realizing it, your browser or the program which you have installed is secretly mining for cryptocurrency. So it's doing all of the complex and intensive CPU work in order to make bitcoins or make Monero or one of the other cryptocurrencies which is out there. So this is a different way for the bad guys to make a buck. And obviously it's very different from ransomware in so much as ransomware is very visual and obvious. You know that you've been hit. It has to tell you that you've been hit and then you're going to take some measure to get rid of it. When it's crypto mining, they won't necessarily announce the fact that they've done it. So lots of people are jumping on this bandwagon. And what do you mean people?

And okay, yeah. Well, I'm wondering, I'm thinking, does antivirus software, can it protect you from this? Or could it be labeled as a PUA? Well, yeah, you can put blockers in place both in your web browser or indeed your ad blocker.

Doesn't come as standard at the You mean website owners or bad people?

Website owners, bad people, lots of folks, right, are crypto mining. Either they are buying computers and hardware themselves, setting up little rigs to mine for cryptocurrency, or they're actually doing it sneakily inside websites. And we've seen a few examples of websites which have done this, including some file-sharing websites. But what's interesting now is, I said, we're seeing criminals really try and take advantage of this to make money.

moment with antivirus?

Well, some antivirus software, yes, will detect this kind of thing in web pages, just they may discover malicious code. It depends rather on how much the code is attempted to be hidden and hidden away from people. Last weekend, for instance, it was discovered that more than 4,000 websites, including many belonging to governments around the world— US government, US courts, the National Health Service, and ironically, the Information Commissioner's Office in the UK, who are the people who normally slap your wrists if you have some sort of data incident— had their websites mangled, messed with, hijacked by a third-party plugin which was using some cryptocurrency mining code. And this plugin was something called BrowseAloud. And BrowseAloud is a piece of software, a plugin which you can put on your website to make it more accessible to people who are visually impaired. And of course, many public sector bodies are doing exactly that.

Is it yet another JavaScript thing?

They need to have their website accessible to a wide range of the population. And so they think, "Oh crumbs, how are we going to do this? Let's just plug in this little bit of software and it will do it for us." Magic. Now, the problem is the bad guys messed with that BrowseAloud plugin and included some code in it, which took CoinHive. CoinHive is probably the most commonly used piece of cryptocurrency mining JavaScript, which is out there at the moment in order that every person who went to those websites was actually secretly mining Monero for the bad guys' pockets. It's just another piece of JavaScript. In this case, it was obfuscated.

Anyway, from around the world?

Well, it's not so much them, it's the people visiting the web page.

Granted. Yeah, right.

Okay.

Of course they did. Who would have that alert go off. And this happened over the weekend, so there's probably less actual traffic going to them as a result.

We're doing bad accents again.

No, we're doing flipping good accents. So there is a nuclear weapons facility, a top secret nuclear weapons—

That you know of.

Research. Well, it's top secret. Okay.

Connections. It's that chess thing. That's where he finds out. That's his actual—

When I was chatting to Garry Kasparov the other day—

Top secret nuclear weapons facility that you're aware about, but no one else is. Carry on.

Look, just because something is top secret doesn't mean it's actually a secret. It just means it's— Oh, I don't know. Maybe you just can't get to it. Maybe there's a big barbed wire and things, and you're not allowed into the city.

It was the Ethernet cable was just unplugged.

To mine cryptocurrencies. Russian authorities have arrested several scientists working at this facility. Because what they did was they hijacked the Uber supercomputer.

It was next to the wall and they're just,

Excellent.

Right.

Right. let's just right there. And then there we go.

This is a 1 petaflop supercomputer.

I love that word so much.

And how much bitcoin did they make? 0.01?

No. Petaflops. You know what that is?

But I wonder how much actual bitcoin they made. Using that ginormous rig?

Well, I haven't managed to find out that particular detail.

Super secret. Okay.

One bitcoin. Super duper secret.

Exactly. That's what I'm waiting for. One whole bitcoin.

Now you're probably wondering, how did they get caught? Well, they got caught because in order to do crypto mining, you need to connect your computer to this little thing called the internet.

What?

And now this is, now this is going to surprise you. But you're not supposed to connect nuclear weapons facility research supercomputers to the internet.

No way.

Really not. That's a bloody good question.

What? Now why is that?

Really not.

How come?

They can't watch YouTube?

Why would you want to do that? What if you really want to play some Call of Duty? I don't know, whatever. It gets boring in there. Basically, the message here is you can't trust your own staff, right? And people will go to extraordinary lengths saying, hehehe, we can— or maybe ho ho ho, oh, it's French. You're going to be boycotted.

You can't trust anybody these days, any member of staff, as to what they're getting up to with your computers.

Yeah.

I don't think there's anything that's changed. I think the same thing happened when we were first given laptops, for instance, and it was all, laptops are just for work people. How many people do you think followed the rules there?

That's just a ThinkPad. They had no computer power. You weren't controlling nuclear weapons from your laptop, Carole. And you know, if you're installing Angry Birds or something on it, yeah, maybe it's not that big a deal, is it?

You just want to check Facebook.

That's just— I can— it's fine for adults.

One petaflop. One petaflop is what I'm talking about.

I just think that just cannot be for

And yet Facebook still runs really slow on that website.

kids. You can't do that approach. It is really scary though, isn't it, actually, a nuclear weapons facility PC computer and just,

That's sort of that. No one will notice.

let's connect it up. Okay, so getting back to real life, if I am a user and a visitor of a website which has the secret JavaScript code on it, what would I notice? How would I know if I wasn't running an antivirus or something? How would I know that it's there and how can I stop... Are you okay? Was that just... I don't know what just happened.

Your fan goes crazy. Your battery life diminishes. Everything runs slowly, right? Because, well, it's taking up all of your CPU.

I don't know how to proceed

It's someone threw honey into the back of your computer.

from there. I think we should

It's exactly that. I'm glad we've been able to describe this scientifically. Yes.

just end the segment right there. That is something I am completely familiar with.

It's a teeny weeny problem.

Yes. That happens to me all the time.

It just turns to sludge. And talking of sludge, there was a sewage plant which got hacked in order to mine crypto coins. Can you believe that? And some people will view its content as sludge. Salon.com. Have you heard of Salon.com? It's not an online hairdresser's. What it is, is a left-wing media outlet. Is that right, Maria? You're our token American.

I would say that's correct. Right. So I can hear what a whole bunch of people are thinking right now. I don't have kids, or my kids won't watch YouTube kids because I'm a perfect parent, whatever, and problem solved, who cares, I don't give an F about this.

Eyebrow-raising topics occasionally.

So this, I think, is a much bigger problem than just YouTube and kids stuff and all that kind of thing. And as Graham alluded to, it's the attitude of users will fix it for us. It's the user problem, the users will handle it. Yeah, there's a lot of hate reads on Salon.com where people are all right.

So what they're doing right now is if you go to their website, you will see a pop-up, and we're all used to these pop-ups saying, oh, you know, turn off your ad blocker. And we're all, bugger off. No, we're not going to turn off our ad blocker because we don't want to get infected by malware and we don't want you tracking us and all the rest of it. But this particular one says, look, you've got a choice. You can either stop blocking ads, so whitelist us in your ad blocker, or you can let us mine some cryptocurrency.

And in this case, fundamentally, YouTube Kids is failing its users. And of course, in this case, the kids are very vulnerable. But it just makes me think of so much else that we've heard, both in the podcast and in general, that we have all this tech that makes huge promises and then it grows so quickly, way faster than anybody can predict, that it very quickly outpaces its reasonable use and it gets abused so much faster than anyone can possibly moderate it or enforce any kind of sane rule. Are you serious?

Sorry.

Or maybe I'm a ransomware.

Okay, hold on. That's so Salon though. All right. I'm going right now to check it out.

Go there right now. Make sure you've got an ad blocker on.

Yeah.

I do have my ad blocker on. Of course I have an ad blocker. I'm not getting that message.

I'm going to.

No, it's not a— I really want to see this story.

Oh, I got it. You got it, Carole?

Right. Oh, I just got it too. Get out.

For real.

Suppress ads. It says block ads by allowing Salon to use your unused computing power.

Oh, yeah. And if you click on the link through to the FAQ, you will find out that they are using CoinHive code to mine Monero in the background. And there are people who've gone there and they've said, well, it now takes 10 times longer to read any Salon article because you're better off anyway. Your computer has turned to sludge.

They can't even scroll.

It was an aberration. Yeah, he was awful. But if it's pure proper Scooby-Doo, that's all right. Or Danger Mouse, something that. No, it's because everything's so slow. And imagine if all these websites begin doing this and you've all got, you've got them all open in tabs, right? That's what I'm doing. I have loads of tabs open all the time and you're thinking, why is my computer turning this slow? So you actually see stuff which has been made by proper organizations producing output, media organizations who have been producing kids' programs. Rather than, you know, who have some responsibilities, rather than, you know, Uncle Norman down the road has made a video and he's—

Yeah, yeah, yeah. This, yep.

Now in some ways I think it's great, you know, Salon being upfront about it and going, hey, let us do this. They're not doing this sneakily.

It's an interesting solution, isn't it though? I mean, given that nobody wants to see ads, nobody is going to get money from ads. I mean, I hate the idea, but it's also interesting.

It is interesting. I think it is an interesting alternative, but I think maybe the way in which it's being done isn't quite right. Maybe they're taking too many resources. And this is the other problem with crypto mining. Everyone's jumping on this bandwagon. That's what the mania that we're seeing right now. But, you know, at the beginning of this, I mentioned about these 4,000 government websites which got hit and had crypto mining code on them. How much money do you think the bad guys actually made from doing that? Really huge, high-profile hack. By the way, say a big number, otherwise it's going to appear unimpressive. So it's—

I agree with you there, but I think that's a very

18 million.

18 million. Maria, can you come up with a similarly huge amount of money?

reasonable and really smart decision on the small sliver of the 81 million. issue being YouTube Kids specifically, but bigger picture—

81 million. No, no, it wasn't. Let me tell you how much it was. $24.

Cha-ching!

The whole thing's just a joke.

You can't even fill up a car with that much money right now.

I'm—

That was 4,000 websites, admittedly only for about 6 hours or so. But, you know, is it really worth it?

That's not even their hourly wage. I mean, that's not—

So I think crypto mining is a bit of a trendy thing to do right now, isn't it? By the criminals and indeed by other legitimate websites which are trying to make money. Maybe they're finding advertising isn't working, but it just doesn't seem to really bring in enough cash to be worth it.

It's the user has a choice right now. That's the thing that bugs me about all this. If they, you know, in this case, in the salon.com example, you do have a choice and I agree, that's good. But if this is sneaking onto your machine and there's no real way that you can flag it and stop it or being asked permission to do it, it's gross. Well, obviously you can install a browser plugin or something like that, which will alert you if a known crypto mining code is being used by website. That's terrific.

Oh, you'd notice your bill.

You'd be paying for it.

Yeah, you're looking at your bill.

And I have my own podcast.

You'd be paying for it. Helping, helping to— True.

Yeah.

You know, I would be playing it constantly if I'm not saying it should sneakily do it, but I wonder whether we will see more free apps thinking, actually, this is a way we can make cash without having to worry with all that hassle of ads.

This seems like every time somebody says something crypto something or blockchain something or other, everybody just loses their minds and wants to get in on that, even though they may not understand what it means. Like, I barely understand what this stuff means.

I did, but just to get the numbers up. So I know I was talking to a financial advisor and he was saying daily he gets calls from people saying, hey, I'd like to invest in bitcoin, do you do that? And he says, no, I'm not involved in this.

If you're asking, don't. Yeah, pretty much.

But maybe we can give an address at the end of the show if people want to send us their money. And we will, of course, invest it wisely for them.

Oh, sorry, Maria. There goes Greedy Guts once again, courtesy of a Maria, tell me Panama PO box. A or B.

What about doing a splinter episode talking about blockchain and all that kind of stuff? Because it's huge right now.

Yeah, that's such a good idea, isn't it?

Yeah. Imagine if we had done that a while ago.

I would actually love to hear it because I could learn about it.

It is written by a Scottish chap.

Maybe about 10 weeks ago.

The dinosaurs all have crazy Scottish accents. Yeah. Imagine if we put that out at the beginning of the year.

Oh, don't tell me that was on the agenda and it didn't— Oh, sorry.

Is that right? Okay, right, let's teach you how to use the—

This is quite cool, but

We've done that, Maria.

I don't think it's as Wait, did you? And I missed it?

Maria, what's your story for us this week?

cool as the Wintergarten. Sorry, need a moment. So, continuing my trend of being the old man who yells at clouds, I'm going to get mad at technology again this week. So my story is about this thing called YouTube for Kids. So it's basically, let's try and trick the YouTube filters to get something a little bit inappropriate in there, and somehow that's a win.

It's not a war. Somehow that's a win.

I've always found Donald Duck slightly disturbing because he doesn't wear trousers, I have to say. So I can understand the difficulty YouTube for Kids has working out what's appropriate and what isn't, right?

I didn't even know I

Really? I mean, if even we adults can't figure it out, then how the heck can a machine figure it out? Apparently, thousands upon thousands of these videos would have what Bridle calls word salad titles, where the titles are just complete nonsense with a ton of keywords that are popular with kids, Frozen or whatever, Lego, Spider-Man, Batman, whatever, you know, eat spaghetti in a tub with cake, Minecraft.

was in it, but okay, great.

Okay, can I ask a question?

This is some twee, twee shit.

Why wouldn't they just make videos that aren't rude if they're trying I have no to monetize it? Because it gets attention? Because the media might pick

It's a great question. I've— maybe it's just easier to do this nonsense bullshit. I mean, Elsa eating spaghetti in a tub.

idea. I have no idea. up on it and then everyone goes to it? Maybe it's an algorithm. Maybe it's an algorithm that goes out and just grabs videos and To me, if it was a monetizing thing, you would try and stick to the rules as much as you could. it's— I don't know. It's really weird.

Oh, you know what it could be? I wonder if the people behind this are actually child psychotherapists. And what they're doing is they're trying, they're trying, yes, they're making money out of the monetization of the video being watched, but also thinking we can potentially get paid thousands for years and years in order to put the kid's head right again.

This is what

They're playing the long game is what you're saying.

Yeah, that's not an insane suggestion at all. you're going to

I'm just trying to be logical. I'm trying to be logical about what I thought was a very good question.

take a stand against? You've done a very good job, Graham.

Thank you.

Yeah. I mean, the only answer always, I mean, the answer is always money. I mean, they wouldn't do it if it didn't make them money because you've got a kid parked in front of a screen and the YouTube Kids app is just pulling up video after video after video. And the parent presumably has no idea what's going on. And the kid is just auto-playing all these bizarre videos that the algorithm keeps serving up to them.

It must be that these are, no one's actually looking at them. They're just being automatically compiled and slapped up there.

Yes.

Exactly. Yep. And they keep getting past what YouTube calls, you know, their automated quality filters. And they insist— YouTube does— that through the magic of machine learning, that they're getting better at rooting this junk out and protecting kids.

I bet that's probably true. I bet that's probably true.

It probably is.

Thank you for your reviews.

It's— I'm sure it's an arms race. The burden's on the kid to protect themselves from the bad stuff. So kiddo, if you got nightmares seeing Winnie the Pooh being decapitated, just flag it and move on, okay? Right? That's basically what they're saying. That's a great approach. Yeah. And the response from YouTube is, well, parents and kids should just flag the bad content when you see it.

I can understand the trauma of this. My oldest childhood friend is a womble called Orinoco, who was a pajama case. And I'm looking up at him right now. He's on one of the shelves in my office.

You're lucky he's still with you.

So that's not—

I took him on a trip with me once as a grown-up, and a number of unfortunate events happened to him. Carole, I don't know if you know anything about what happened to him, but he ended up basically being crucified. I think at one point he was found hanging from a banister. It was— and I was quite upset— stabbed and— Was it being used for voodoo?

I mean, we were all really concerned in the house.

Carole was there. She expressed concern at the time, but at the same time was also seen smirking a lot.

No, no, I was trying to get to the bottom of what was happening.

Were you? Yeah, interesting. Yeah, so I can understand this.

But anyway, yes, you sound traumatized, a little triggered, if I may.

Yes, I feel I have been. I'm going to actually have to go and find my emotional support womble right now.

You should see this thing. It's been hugged bare. It's a little rat.

Can we have a photo in the show notes? This is really important. I have to respect his privacy, so I'm not sure if it'll make it in.

Anyway, sorry, continue. So basically they're saying it's people's fault, it's the user's fault. They've got to handle it. Do you know what would be better? Why don't we just ask adults to kind of take part? Little Timmy has to press report.

From crypto mining our activity while But that wouldn't even cover— I'm sure with the number of videos out there, it wouldn't even cover it, even if people actually wanted to do that, which nobody would. we watch the video. Exactly.

But yeah, it's just, it's a really yucky problem.

Yeah. My kid loves YouTube for Kids. I'm sorry, Maria, my kid's older than yours.

I don't doubt it. Yeah.

And so he's been Against my better judgment. But he hasn't, thankfully, as far as I know, encountered anything this. corrupted by it. He has seen a couple which he found a little bit scary, but I think that was just him being a bit sensitive or whatever to it. But I wonder whether what we really need to do is we need to say, you know what, YouTube isn't for kids. Well, it is a great program apart from when Scrappy-Doo was in it. I think they did ruin it.

I never watched

Now, kids are into screens, but there's no reason why we couldn't plonk them down and say, 'Watch 5 episodes of Scooby-Doo' or something instead. Something which hasn't been made by the great unwashed public.

Scrappy-Doo. That was Voted. after my time.

But it is bigger than that, isn't it?

Yeah, why do we throw our hands up in the air and go, well, you know, users, you should really be flagging this stuff and you figure it out and when you flag it, we'll clean up the mess, but until then, you know, I mean, that to me, that just feels so half-assed. Have we really done all that we can to protect users? And I'm not talking just about kids, I'm talking about users in general.

No, no, I think we need to ask the big giants to step off the arms race. I mean, Facebook as well is going after 13-year-olds and under, right, with their new Facebook for Kids. And so we've got both internet giants trying to compete for mindshare of our children. And I think you're asking the right questions. Should we allow our kids to do this?

To me, it seems almost like a— I think it's a no-brainer. Most people would say, yeah, keep kids off of this stuff. And I'm just thinking just in general, again, I'm going hugely, massively big picture.

You've gone big.

You've gone way beyond just kids on the internet because I feel that one's— that's much more black and white. I'm thinking more why are we expecting users to do all the content policing and the frontline defense? That to me is—

Why are people accepting it? Which is even, you know, right?

Because, yeah, I mean, I'm a Reddit user, for example. Reddit is both amazing and the absolute cesspool of the internet, one of the many. And one, I mean, it's both at the same time. And basically every time Reddit comes out with a new rule saying, hey, we're doing something about some abhorrent thing that has popped up on Reddit, inevitably they go, well, we can't police this stuff. You guys just need to flag it and then we'll look into it. And it just seems so noncommittal and a complete abdication of responsibility. I don't have a genius solution here.

It's not okay.

And we've just seen this with the deepfakes thing, which we spoke about a couple of weeks ago as well. The sort of celeb fake porn, you know, where people can take pictures of you and insert you into a porno movie, haven't they?

Yeah. And Reddit came out a week after that story came out. I don't know, maybe we helped with that. I have no idea. And said, you know what, we're banning that subreddit that has the deepfakes on it. Great. Problem solved. And then people in the thread said, okay, great. So what are you going to do about it if, say, somebody's involuntarily in a deepfake porno, and they said it's the responsibility of the person who has appeared in that porno to flag it and say, I don't want to be in it. So again, it's, me, I would need to go trolling through this stuff to find—

Yeah, right.

I can do that. I can do that for you, Maria, actually. I'm happy to watch lots of those videos, and I'll tell you, both of you, if I see you in there.

I'm so sorry.

I'm so sorry.

I'm so sorry. He doesn't know what he's doing.

He doesn't know what he's doing.

It's okay. I'm just— okay. He's blushing. I'm just— I'm dying.

Fro, what have you got for us?

Do you hear that sound, guys? Do you hear that? That sound is the sound of UK advertisers utterly thrilled with a recent precedent that was set by the UK Advertising Standards Authority, or known as the ASA. Oh yeah, do you want to know why? It all starts with virtual assistants. So roughly 1 in 10 households apparently have an Amazon device in the UK and US.

Wait, an Amazon device being an actual speaker thingy?

Yeah, sorry, yeah, an Amazon virtual assistant. So an Echo, a Dot, Alexa.

Yeah, you call that whole group But wait, is this— is the Yes, that's what— number seriously 1 in 10?

Okay, I know this is apparently 1 in 10, and 1 in 20 have a Google Home. I think this sounds huge.

I cannot with that.

And Apple have just put out their new HomePod, right? So people are in love with these virtual assistants because they can play songs and podcasts and manage their smart home and get updates on the weather. I'm not sure why that's important, but people seem to love to know about.

Do either of you have one Like the blockchain episode that apparently exists that I forgot about. So yeah, just play it over and over. of these? No.

And people also love, and I think this is particular to Amazon's assistants, is the shopping element, right? Where you can make a list and you can confirm orders, etc., etc. But things may be about to be getting very annoying for virtual assistant users. Let me set the scene here. So you remember from last January, there was this famous Amazon Dollhouse order fiasco. We talked about it on the show. This is where a kid managed to order a dollhouse and cookies from Amazon Alexa because the parental controls were not activated. And then ironically, it was that the TV news anchors compounded the problem with the report because the anchor said as part of the story, "I love when little girls is saying, Alexa, order me.

You can't say something like that on a podcast.

Exactly. Exactly.

Oh my goodness.

Let's fast forward to today.

All right.

Let's start with last month where White House Press Secretary Sarah Sanders took to Twitter to call out Amazon after her young son inadvertently ordered an $80 toy using the company's Echo device. And she tweeted, Alexa, we have a problem. If my 2-year-old can order a Batman toy by yelling Batman over and over again into the Echo.

In fairness, at least he didn't order a copy of Fire and Fury.

Oh, political. But things are about to get a lot worse, I think, at least in the UK. Pet food suppliers Purina launched an Alexa-focused ad campaign in the UK recently. Tell me if you can catch how this ad might be opening a can of worms rather than a can tuna flakes and gravy.

Alexa, reorder Purina Beyond cat food. Order confirmed. Okay, that's pretty blatant.

Highly sophisticated campaign there.

That's so subtle.

Cute cats though.

It's clever, right? Clever. So not surprisingly, a viewer lodged a complaint with the advertising regulator saying that the ad made the virtual assistant device place an order for said cat food.

Yeah, quite right too.

And according to the BBC, the viewer complained that the ad was socially irresponsible. Now, upon receiving this complaint, the UK ad regulator ASA— actually, let's make this fun, let's make this fun. I'm going to give you a choice. Did A, ASA, known by ad types the world over to be super strict, uphold the viewer's complaint and slap Purina smartly on the wrist for their unethical attempt at getting on a virtual shopping list?

Okay.

Or B, Did the ASA say, "We concluded that the ad was not socially irresponsible and did not breach the code"?

Yeah. Do we need some quiz music? Ding, ding, ding, ding, ding, ding, ding. I'm going to say that they were super strict and told Purina, "Don't be such wallies, please." They did not.

Now, I will get to the socially irresponsible bit in a minute.

Hey, thanks for asking me my opinion. I actually was gonna say I have hope for my UK counterparts that you have better taste than we in the US do and say in the US this would have been totally fine, but in the UK y'all are better about it. So you'd say nope, this is not okay.

Yeah, I have a lot of friends who work in advertising and they say trying to get ads into the UK TV channels is so difficult.

There are so many regulations compared to the US. I mean, it's a free-for-all over here, so I know ads like this are completely fine in the States. I see them all the time. Yeah, so maybe it's not a big deal for our US listeners, but for us it's outrageous. Anyway, I decided to have a look at the UK Code of Broadcast Advertising, and it does indeed seem that there is nothing that jumped out at me that would control this emerging type of ad loophole, where basically devices are communicating to each other, bypassing the person who actually owns both devices. Adult diapers, cat food, and sunglasses. That's a really weird party.

So you're expecting a wave of adult diaper TV ads now?

Well, I'm expecting— my thinking is that ad guys around the UK today are going huzzah and rejoice.

It's a pretty rubbish ad, isn't it? Anyone— Actually, any humans who are watching the television are just going to get tired of everyone pulling off the same prank, frankly, aren't they? Yeah, it's a gimmick. Yes. And it's been— it's been like South Park had a whole episode where they did that. Yeah. Well, maybe not here. I expect that we're going to see every ad on telly in the next few months barking shopping orders at our devices. And presumably it wouldn't just be necessarily orders which they're making. They could also send a command saying, you know, dim the lights or something, put on the sexy music or something else.

Yeah, it's Valentine's Day.

Yes, play Smashing Security.

Hey, hey, Amazon Echo, play Smashing Security. All right, fair enough. This episode of Smashing Security is sponsored in part by Rapid7, trusted by over 6,700 organizations globally. Rapid7's security solutions harness the critical information essential to protect an organization's best interests. And thanks also to LastPass for sponsoring this episode of Smashing Security. Failing to protect your business's passwords could be a costly mistake.

Pick of the Week.

Squeak. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book they've read, a TV show, a movie, a record, an app, a website, a podcast, whatever you like.

You like.

It doesn't have to be security-related necessarily.

Yeah.

My pick of the week this week, I'm going to recommend to you an app which you can install on your iPad, or I think maybe there's a PC version of it as well. It's called Dinosaur Chess, and if you have a young person in your household who you'd like to teach to learn chess, maybe you can get them interested in it via the power of dinosaurs.

That's cute.

Cute, I automatically love it.

That's crazy, all right.

Another bad accent.

Let's teach you how to use the knight. And the more you succeed in the various chess trials and puzzles it gives you, the bigger and more powerful your dinosaur becomes in order to have the dinosaur fight against the T-Rex at the end.

Okay, kids nothing. I will play this. That sounds great. That sounds really fun. Oh, it's good fun. And it actually plays a reasonable game of chess. So it's good fun.

Excellent pick of the week, Mr. Cluley.

I like it.

Yeah. Give that one to him.

Thank you.

Thank you. Maria, what's your— pardon?

I hear Carole has already clicked on the link for my pick of the week. All right, well, I am nothing if not keen on serving up complete nightmare fuel for all your Smashing Security listeners. So without further ado, please have a little listen to the Furby organ. I promise it's not really—

Furby what?

Organ in this case refers to a musical organ.

And is he a Furby that I'm looking at right now? Because he's got hair like a Furby.

He's got 44 Furbies attached to a musical organ, and they all work together to play music. It is completely horrifying and amazing and creative, but mostly—

No, Maria, where did you get this?

Where did he get 44 Furbies from?

I am not an internet superhero, but I do have my sources of really weird shit on the internet. I'm really good at finding the weird shit. Yeah, I told you I'm on Reddit a lot, right?

So as he plays with his organ, his 44 furry friends chirp up.

That's actually why I— Mm-hmm. Yep. If you skip to, let's see, it's a long video, but skip to about 3 minutes in and you can see the whole thing at work.

Okay, here we go.

It's about 3 minutes in.

Oh, here it goes.

I love his notes. I love the notes, how clear they are.

And they're wiggling their ears. I kind of like Furbies. How do we feel about Furbies?

Are you kidding? You like Furbies?

They're not like Cabbage Patch dolls, No. which are just—

The marble machine.

The Wintergarten is brilliant.

You seen that?

What?

The Wintergarten marble machine. Maria, you should check that out. I would contend that that is— oh, I've seen this.

Yeah, yeah, yeah, yeah, yeah. It is.

I'm sending it to you right now. Here we are. I'm putting it— I'm going to put it in the show notes as well. And frankly, it's a heck lot better than Fabioch.

But not as funny.

Yeah, I was going to say, I do not doubt that musically there are way better things out there, but they're not made with Furbies.

Yeah, you win. You win.

Thank you, Maria, for your pick of the week.

You win the Furby war.

You're so welcome.

Top that if you can. I think I can. I think I can. So listeners may not know that we as podcast hosts have actually no idea who's listening to us, and that is why so many podcasts go out and ask users to fill in surveys and forms just to get an idea of who's listening and what they think of the show.

I've been waiting so long for this moment, but we're finally interviewing this plant.

Hello, puppy.

Poppy, thank you so much for having me. How are you today, plant?

You look so beautiful. Okay, this is the YouTube sensation Poppy, and in this clip, she's sitting against a white background interviewing a basil plant, and that's all. She has 235 million views combined, increasing by 250,000 a day. Both these names are obviously— I had to delete, stop the video because I'm too alarmed. I can't watch anymore, it's just too weird.

It is weird. So last year she launched an album, this Poppy girl, and there's one called Here's My Microphone, which is just edgy enough for me to listen to. The rest is a bit saccharine for my PJ Harvey-loving ways, right? But she's also just launched her subscription YouTube channel. And the reason you need to pay attention, and I think it's The Guardian says it best, she is the sort of celebrity who could not have existed even half a decade ago, born of and beloved by the internet and essentially unknown outside of it. And her YouTube channel is crazy. It's crazy fun to dip into. So I suggest go take a look, if only just to be able to talk to your kids about it and watch their eyes grow like sausages.

So does she always talk in this weird, twee kitty voice?

She has this one where she's like, "People often ask me if I'm in a cult. I am not in a cult." And then does loads of cult stuff. And that's the video is like 40 seconds. Odd, crazy, but interesting.

Can you get this on YouTube for kids? Because if you can, I just want that banned right now. Because this, this, I forget all that, forget all the clowns and Oh, are there things and sharp knives. Oh yeah, you don't mind the beheadings. really any beheadings Oh, there are? Oh, okay. on YouTube for kids?

Yeah. Yeah, there are. Yeah.

That's— I don't know if you've read any articles recently, Graham, but yeah, that's the problem.

Or listen to any podcasts, which I won't.

I can send you a little link to— Okay, this show has got weird enough.

That's what I'm here for.

No, don't thank you. I mean, thank you for coming next time you're on the show, Maria. Thank you for bringing a proper pick of the week rather than anything which is going to spook us out. And on that bombshell, we've just about wrapped it up. Crikey. If you want to follow us on Twitter, we're at Smashing Security without a G. Twitter wouldn't let us have a G. We're on Facebook. Just look for the Smashing Security Podcast Group. And we've also got a store at smashingsecurity.com/store. And thank you for tuning in. If you like the show, rate it on Apple Podcasts.

And thank you to everyone who already has. I've been wanting to say that forever.

And yeah, leaving a review really helps new people discover the show and you can check out past episodes at smashingsecurity.com as well. Until next time, thank you so much, Maria, for joining us. Joining us yet again.

My pleasure. Thanks for having me on.

And no problem, Graham.

From Carole and me to Lou. Bye-bye.

Hey, at least you didn't forget to ask me a question when you were doing a poll in the middle of the segment. I was like, okay, well, fine.

Sorry. Do you know what I need to do? Actually, this is really— from now on, I'm going to always ask guests first, then Graham, because I think I normally do that.

Yes, maybe it was on purpose. You're like, I don't actually care what Maria thinks.

Oh, I always care what Maria thinks. I care what Maria thinks a bit more than someone else on the ship.