At the start of this month, the chief financial officer of Chinese tech giant Huawei was arrested in Vancouver at the request of US authorities.
Meng Wanzhou faces extradition to the United States on the charge that Huawei used a shell company to access the Iran market, in contravention of US sanctions.
The arrest made headline news around the world – with many speculating on its impact on current US-China trade negotiations, or suggesting that Western technology leaders might be wise to avoid visiting China in case they faced tit-for-tat reprisals.
And, of course, it was hard for the media not to once again raise the concerns of some Western countries that Huawei might not be the ideal business to build 5G mobile networks because of alleged links to the Chinese government.
(For its part, Huawei continues to deny claims that Beijing views Huawei as a way to spy upon the communications of Western governments and companies.)
All serious stuff!
So I, for one, was bemused to see a report from Johannes Ullrich about how scammers have tried to exploit the situation – sending messages through the WeChat that the wealthy Meng Wanzhou needed a few thousand dollars bribe a corrupt Canadian guarding her cell.
According to the ISC SANS blog, the message translates as:
“Hello, I am MENG Wanzhou. Currently, I have been detained by Canadian customs. I have limited use of my phone. Right now CIA is trying to get me into the hands of the US government. I bribed the guard of my room, and urgently need US$2000 to get out of here. Once I am out, I will reward you 200,000 shares of Huawei. I will be good on my word. if you are single, we can also discuss the important thing in life. The guard’s name is David, the account number is 52836153836252, swift 55789034. I will be good on my word”
Yes, not only could you be rewarded with 200,000 Huawei shares, but – if you send Ms Meng a meagre two thousand bucks – it also sounds as if she’s open to potentially having a personal relationship with you!
There’s bad news for the scammers though. Meng Wanzhou has now been released on bail.
At least that’s what we’re being told. Who is to say that she hasn’t had so many people send her thousands of dollars that she’s been able to bribe the judge as well as her prison guard?
(Umm, joke.)
For more discussion of this topic, be sure to listen to this episode of the “Smashing Security” podcast:
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
So let's do a show and tell, okay? So what do you guys think an appropriate response to the following might be? "I never feel skinny enough. I make myself throw up." Well, you're not that skinny, Carole. I do sometimes... You sometimes do make me throw up. If I think about you, I mean that's... Sorry, is that... Graham, Graham.
I'm Carole Theriault.
Hello, Carole. How are you? What's going on? I'm good. I've got a funny story for you, Graham. What? Because every fall he gives me a bag of damsons, you see. So there you go.
Yes. Get your mind out of the gutter. Never mind. And we're joined this week by a special returning guest. It's our pleasure to have Mikko Hyppönen back. Hi, Mikko.
Hi there. Hello, Graham. Hello, Carole. How are you?
Mikko, great. So glad you're here. Thank you. You know, my young son is off school today because he's a little bit sick, or at least claiming to be a little bit sick. He is! He is!
Isn't that far from the truth, really, is it?
No, no, no, no. I'm not a superhero. I'm a supervillain.
Do you wear your pants outside your trousers? That's what we all want.
No, not yet. But, you know, I'm sure when I retire...
I'm sure Graham will be your Robin. I'll return to you on that topic, yeah. We'll get back to you on that.
Mikko's talking everything Huawei, and Carole is doing a little deep dive on some chatbot apps. Plus, we have a bonus interview from one of our previous guests. Oh, Carole sounds curious. All this coming up.
You need a password for your email account. You need a password for your Amazon, your eBay, your PayPal. All, you need passwords for everything these days. And if it wasn't enough of a nightmare looking after your passwords on a personal level, imagine protecting every password inside your business. That's where LastPass comes in. Every password is an entryway into your business. LastPass makes it easy to secure them all. With centralised control, you can get insight into employee password behaviour and the power to change them from your admin dashboard. Find out more. Visit lastpass.com/smashing. And welcome back. Now, I want you two chaps to imagine that you worked at the airport.
Oh, the glamour. I used to work at the airport. Did you? Yeah, I used to work at the airport in Ottawa. PR. That was one of my first jobs. And I spent half of my time at the airport.
Well, imagine you are the person who answers the phone at the airport. There's only probably one person at the airport who answers the phone. The person who helps people know if their plane is delayed, whether you can buy Toblerone in Duty Free, those sort of important questions.
Information.
Yeah. Oh, right. Okay. And one day, you get a call like this.
My daughter just called me ten minutes ago, crying on the phone, saying that her flight was getting hijacked. She said they were holding them hostage, and that they were being pushed to the back of the plane, and one of them had a bomb. They had everybody at the back of the plane.
Oh, God. I don't know what I would do. Pretty serious stuff, eh? Well, I'm going to tell you the story of how things got to that bonkers state. There's a college in Watford?
Yes. There are people. Watford's not that bad.
I didn't say it was bad. I used to live just down
The road from Watford. I think the real question is, is there a college which has not experienced a DDoS? Right. Yeah. And in particular, is there a college which hasn't suffered a DDoS attack from one of its own students studying in IT? Which is what happened in this particular case. So it was one of their own students, a guy called George Duke Cohen, at the time was 18 years old. And they identified that it was him, but they allowed him to stay on the course for who knows what reason. A decision which I imagine they came to regret, because just a few months later, at the end of January this year, the college was on the receiving end of a different type of threat. An email bomb threat was received by the college, which, understandably, they tend to take those sort of things seriously, just in case. And 2,500 students and staff were evacuated from the college. And who do you think was responsible? George Duke Cohen. Blasted George. The same guy who did the denial of service. Now that time he got thrown out of the college and the police were called and they gave him a good talking to and said don't be naughty ever again. But soon after bomb threats were emailed to over 1700 schools and nurseries up and down the UK saying that explosives have been planted and the email said that unless five thousand dollars worth of cryptocurrency was moved into the account of a US-based Minecraft server, buildings would be blown up. And basically, they said, we're going to blow up everything unless the payment's made, right? This is a really fun story, by the way. Thank you. I'm glad you're enjoying it. Well, now, the fact that they were saying put it into the account of a Minecraft server didn't mean that the Minecraft server were the people who were actually threatening to blow up the place. That, of course, was something of a Joe job. They were trying to make the authorities think that it was this minecraft server because someone had a grudge against them. Hundreds of schools were evacuated and who do you think was responsible for all of these email threats? George. George Duke Cohen. A couple of days later someone called Hertfordshire police claiming that their phone had been hacked, rather unusual call to make. Who was the person making the phone call? George Duke Cohen. And police were thinking, who's this strange chap who's calling us up? He's referring to these school threats and other things. He's—
Knitting with one needle, right? Well, this will come up later, exactly what his problem is. But police arrested him. They finally arrested him. They seized his computers and smartphones. You're grounded for sure this time.
And the messages were quite scary. They said you know a male student is going to come onto your campus, he will look normal but inside his bag is a bomb, it's a powerful explosive, you need to put your school on lockdown, we are planning to kill every student in the room.
And this is still and we want you to put money into this Minecraft server? At this point they're not asking specifically for money. This has been done basically for lols, to laugh.
My daughter just called me 10 minutes ago crying on the phone saying that her flight was getting hijacked. She said they were holding them hostage and that they'll be in touch to the back of the plane and one of them had a bomb. A British man calling himself Mike Sanchez rang up San Francisco International Airport claiming that he'd been contacted by his distressed daughter who was traveling on a United Airlines flight from Heathrow. And according to the man as we heard his daughter basically believed the plane had been hijacked and a man was pointing a gun at them.
I have no idea. This is a wacky story, so I'm going to say no. Okay. Police arrested George Duke Cohen again. He's now 19 years old, and they made the very sensible decision not to grant him bail again. He could have faced up to seven years in prison for what he's done. Someone knitting with one needle. Yeah, something like that. But it was surprising also because this wasn't a teenager. That narrows the possibilities of who might have done it, I guess. Yeah. I mean, that's really determined, isn't it, writing it in assembly language as well. think any of our listeners need to hear that, Graham. They're all pretty cool as far as I'm concerned. Go and have a sauna. Relax. Yes, I have. I have. They are. They are very cool, actually. Yeah, because the Americans are citing national security issues along this, aren't they? They are. And there's so much discussion, not just from USA, but from UK, from Australia, from Japan, that we must not use Huawei made 5G gear because that's less safe and they're going to use it for spying purposes. And Huawei is so close to the Chinese government. Yeah, and Canada is caught in the crossfire a bit, isn't it?
Yeah, it is weird. I mean, of course, the arrest was done in Canada because Huawei leadership team has avoided traveling through the United States or visiting the United States for something like three or four years now to avoid this situation. Exactly. I mean, that's the reason why Mrs. Meng was transiting in Vancouver. I actually checked this. That's not the best route. If you want to fly from Hong Kong to Mexico City, the most logical place to transfer planes would be San Francisco or Los Angeles. But avoided both of those and went to Vancouver instead, apparently assuming that she would escape the long hand of the US law. Apparently, she did not. And now they are fighting extradition. And so by this logic, if a country, let's say Peru, for instance, if Peru decided that Finland was full of supervillains, they could ask Canada that if I was travelling through Canada and I'd previously done business with the supervillains of Finland, the Canadians might arrest me at Peru's bequest. And so it's so bizarre, isn't it? It's probably because Canada and US probably both have similar sanctions. Maybe not me, I'm just shooting from the hip here. But this surely is a problem for other technology companies whose senior executives might be traveling to, oh, I don't know where, China, and maybe worried that there's going to be some tit-for-tat action here.
You have to admire a human being's ability to think outside the box.
If the offer of the shares isn't enough, she goes on in this message to say, I'm good for my word. And if you're single, we can also discuss the more important things in life.
Shush, shush, she did not. That's for the long step. Where do I send the money? Where do I send it? Yeah. Yeah. I'm with you. I hate it. I hate it. I hate it.
Carole, what's your topic for us this week? Well, I want to talk about chatbots. Chatbots are basically fake humans. They always keep asking, you know, tell me, welcome to our website. How can I help? Fucking off. Yeah, totally. Are these something which young people will talk to on their mobile phone or something? They're typing on it. So rather than having a pal to WhatsApp with, they chat with this.
With a bot, with an algorithm, a program that then tries to. And it tries to help them with their mental health issues or just make them feel good about themselves. Right. This is what these two chatbots do, right? That's really good. I didn't even think of that. That's right. Well, you're not that skinny, Carole. You sometimes do make me throw up. If I think about you. Graham, you're mistaken. That's not what she was asking.
It's a bit like saying I really fancy listening to some Leonard Cohen or Joy Division or something like that. It's danger danger, you're clearly depressed right? Hey listeners, so I'm in the process of editing this section of the podcast and I totally did not hear that Graham complained about Leonard Cohen because had I heard that bit I would have made a huge stink. So just saying. Anyway, back to the show. So this really, Eliza basically hasn't evolved, has she? She's just as bad as she was 30 years ago. Just like Eliza. Yeah, a wiser Eliza, she is not. Yeah, very good. Thank you very much. Yes, yes I've been looking into the crazy world of mental health mobile phone apps.
I know what tipped you off to this story.
Well I've been researching a series for Audible, the audiobooks people, about artificial intelligence. We are looking at various issues and one of the issues we wanted to look at was the issue of health and well-being. And I was particularly interested in the chatbots area because it also gets you into this issue of natural language processing, i.e. can computers understand us humans and the way we talk and interact.
That's cool. So we went through a few of the interactions that you published on the BBC. How long did it take you? How many did you do? Very few. I mean, really, I did about six or seven, I think, on each app. So we're looking, the two apps are Wysa and Woebot, which is of a pun, it's a robot that deals with your woes. Well, they claim to do that. They claim to do that. Obviously, the results indicate a little bit differently. These apps are effectively trying to operate as a triage system? I think that's one of the arguments for them. And I really get this argument that mental health support and treatment is expensive if you do it privately. And if you do it on the National Health Service or public services, there's a huge waiting list. I really get that. I understand the dynamic behind it. And I think that's a reasonable explanation for trying to do these things. And you wrote that some of them were recommended by the NHS. Yes. One of the apps, Wiser, has been recommended by Northeast London Foundation Trust, NHS Trust, who said, look, we did a lot of testing with our clinicians, with child users. And do these apps cost money? They don't, but they are free to download. There is another controversial side to this, which I know some psychologists and some counsellors are worried about, which is the freemium model, that horrible portmanteau of freemium, where they're free to download, free to use initially. It feels a bit like the heroin model. There is an element of that. However, you could argue, well, the investigation I did was about the automated side of these apps. I also don't like the idea of what they're actually doing with that information. I mean, are those chats logged? If it's free, you don't really have a leg to stand on. From looking through my brief look through the terms and conditions, they are quite hot on that and they're quite present about that. So the whole point of it is really it's an anonymized service that doesn't go any further. Now, in the app, is there a button that's like, report this response is ridiculous or inappropriate?
Not that I found. Certainly, if it is there, it wasn't easy to find. So I was obviously relying on screenshotting these things and sending them through to the company's concern.
What did they say when you pointed out all these problems?
In fairness, both Wiser and Wobot responded fairly promptly. In the case of the actual specific phrases that I typed in, they have both said we are going to address that, we're going to make sure the responses are more appropriate and that the crisis system flags them up if they need flagging up. Wobot has now introduced an 18 plus age check and is now adults only, so it's no longer for kids. Wiser said they're going to release an update I think early next year which is going to address some of these concerns and they're also going to do more testing. They work with a clinical safety officer I think is the title, and so they're going to do more work to make sure the responses get flagged up. Wiser said, look, if it had been a different set of circumstances, you would have got a more appropriate response. But as I say, certainly in the tests that I tried, the response was frankly insensitive. And for the child protection experts I spoke to, very worrying indeed for them.
Yeah, I mean, I'm surprised with Wiser's response that they want to stick with promoting this app to kids over 13.
Wiser's response generally to the queries that I had was extensive. Wiser have done a lot of testing with this, as I say, with the NHS trust they've worked with. They really are full on for helping children's mental health. They see that as their role. They believe they're doing enough testing to make this clear. What sort of worries me a bit is, you know, I can keep telling them, look, I typed in this phrase and I got this answer and that's not good. There's just an infinity of phrases that are so nuanced. I wonder whether the software will ever be able to catch all of them. Wiser's response, though, was to say, well, look, as long as we don't cause further harm, we know the software is not going to spot every worrying response. But as long as it doesn't give an answer that says, yes, go for it when you type in you want to do some damaging to yourself, that really seemed to be their kind of bottom line.
Well, Geoff White, this piece of investigation was a great read, and it looks like you made some changes. So they have some age limits now on the Wobot app, thanks to your research. So that must feel good. And hat tip to you.
Thank you very much. Good to speak to you. I'm a bit worried about when these chatbots inevitably get hacked and they build up a relationship with you through your chat and all the rest. You think, oh, this is going quite nicely, even though they're a bot. And then they claim to be imprisoned by some Canadian guard and they're asking you to wire money into the account. That's the next level. That's where these things are going to go.
Graham, I hate the way you think.
Well, they will probably address the specific concerns and terms which have been raised by the BBC. But of course, there will be countless others, which it won't handle properly. And I have one last note about the speaking chatbots. The Google Duplex demos were really impressive, but apparently the Chinese Alibaba has much, much better spoken word chatbots speaking Mandarin, which are hard to tell apart. We'll put a link to that show notes about how they're faring over there in China. Cool. Excellent.
That's a second that's a second in a row
Pick of the Week. It is in the contract. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website or an app. You're getting faster and faster. Doesn't have to be security related necessarily. Should not be. Mine is not security related. It is a TV show which appeared probably a couple of months ago now, actually, on Netflix. It is season two of a fascinating documentary called Making a Murderer.
Oh, yes. Watched it. Gobbled that one up.
Yes, my goodness gracious. If you didn't see the original Making a Murderer documentary, it is basically a sort of fly on the wall over maybe up to 10 years about a chap who has been imprisoned. And he was previously imprisoned because of a miscarriage of justice. And it's now been argued that a new murder, which subsequently happened, well his conviction for that may not have been right too so he remains in prison and season two is very much a response to the first series he's got a new kick-ass lawyer called Kathleen Zellner I loved her what did you think of her
She is pretty much the most amazing character I've seen for a long time. Yeah I love that people like her actually exist. I mean
I'm reveling in her character but yeah she's like the real Cruella de Vil there Is a bit of that about her, but she's clearly got a finely honed mind. And occasionally you just think, my goodness, the level of detail that she's gone into and putting this case together to try and get this guy off the hook. I'm not going to give you any spoilers, but I really recommend season two of Making a Murderer.
Isn't there a podcast that basically analyzes every single episode and talks about how maybe she may have got things wrong? Yes, there is a podcast from the other side of course because naturally law enforcement in the states believe that they got the right man. I can't, I think it's something like Unmasking Making a Murderer. I can't remember the name of it. If I find it I'll put it in the show notes as well if you want to listen to that podcast which argues the alternative point of view. But I'd really recommend it whether you think they're on the right trail or not, it's a superb documentary. Watch series one and then check out season two as well. Oh my gosh.
Very well, when it was released I actually had the pre-release versions already. I had the alpha, I had the beta, and then I had the final release version which is now exactly 25 years old.
My brothers did too. I remember them playing this before I even went to university.
Yeah, it was crazy. I mean, you were running this on your 486 machines, MS-DOS. We had no graphics accelerators. It was surprisingly fast. It had great music. And of course, it was scary as hell.
How many hours do you think you devoted to Doom in your life?
Probably months of my life I spent playing Doom and Doom 2 and all of that. And then I spent a lot of time making a map of our office in 1994 into a level in Doom.
No way!
Absolutely. We had this WAD editor. That's where the map files for Doom. So you can make your own levels. It was open in that sense. And in fact, they actually open sourced the whole game fairly early on. So that's why we had so many modified versions of Doom. And we had Doom running on ATMs and credit card terminals and watches and everywhere. It is such a phenomenon.
I had no idea.
And we're going to put a link to show notes on how you can actually play the original shareware version of Doom inside your browser on your Windows or Mac laptop. I just played it an hour ago. It's just like the real thing. Everything works like it did in the original one. It's highly recommended.
What a bonus giveaway for our listeners. I feel like I've really missed out because I think I've probably played Doom for about 12 minutes.
Carole, honestly, you wouldn't be able to play longer than that. You'd get all dizzy and you'd have to lie down. I do, I do. I did play Wolfenstein 3D for longer, but I got all motion sickness. And it's like, oh crikey, I need a fizzy drink. I think the best example on how important Doom was at 1993, 1994, was that I was already working inside F-Secure at the time. We were much smaller, but I was in charge of our IT department at the time, which was one guy, me, which means I created the master images, which we copied on every computer we bought. And that master image was running MS-DOS 5 with Windows 3.11 for Workgroups. And when it would boot up, it would actually boot up to Doom. Every machine would run Doom. And if you didn't feel like playing, then you could hit exit and go back to MS-DOS, and then you could boot up Windows if you fancied Windows. I mean, if we had a power outage, every machine would reboot and every machine would be playing Doom.
You see, kids, we knew how to have fun in the old days. And amazingly, his company has survived and is still going strong. Maybe that's why. But for sure, our computers are no longer booting by default to Doom. Well, my Pick of the Week is a podcast. And actually, I think I may have showcased this pod before. So if that is the case, I am not going to break Pick of the Week rules. I will select a specific episode from this said podcast. So the podcast is called Love and Radio. This is a podcast that weaves curious people or situations into really beautifully edited pieces of art. Really, it's edgy. It's sometimes a little bit fruity. It's sometimes incredibly shocking, upsetting. And it's sometimes real and sometimes fiction and sometimes a mix of both. They're not always straight up with that. So you just have to see it as art. Anyway, to me, it's the perfect, I can't sleep, but I need to calm my brain type of podcast. Now, the podcast episode I wanted to feature is called Points of Egress by Love and Radio. Love and Radio is part of the Radiotopia family. Graham, I think I pointed this one in your direction, did I?
You have, yes.
Now, without giving anything away, because there are a few twists and turns in this episode, did you enjoy it?
I did enjoy it, yes. I'm always a little bit cautious when I check out your picks of the week and your recommendations. Sometimes they don't completely work for me, but this was very good.
Even though it didn't have anything to do with chess or Doctor Who, it was all right.
It didn't have anything to do with chess or Doctor Who. My three favourite topics. Yes, exactly. Despite that, I was still interested. It was about a girl who found her boyfriend's journal, wasn't it? Yeah, and she assumes he really digs her, but then reads a few of the diary entries and it shows something entirely different. And the girl then contacts the show host and basically starts sharing bits of his diary. Take a listen to this.
yeah yeah sure of course
well i mean you wouldn't tell him that i've been reading the diary, would you?
Okay. Yeah, yeah. I think that would be okay.
You got me interested. I will check this out today.
Yeah. Okay, cool. Do see. Yep.
And listen right to the end. Right to the end.
Anyway, so that's my pick of the week. Enjoy it. It's Points of Egress by Love and Radio, a wonderful episode of the podcast.
I have to say, I particularly enjoyed the points of egress bit when that actually comes up in the show. That made me chuckle. But, yep, definitely worth listening to. And the thing
is, you know, because I do a podcast, I can say this with some level of knowledge. It takes so much work to do a podcast of that caliber, you know, and of that, to have something with music and good editing.
Whereas a podcast of this caliber takes no time to do that. We do the best we
can. We work hard. I don't think people would believe how long we spend editing this thing. They wouldn't believe it. They think
we're full of... Anyway, that just about wraps it up for this week. Mikko, I'm sure lots of people are already following you on the socials. But what's the best way that people can get in touch with you or find out what you're up to? The best way to reach me is on Twitter as Mikko. That's M-I-K-K-O. That's it. Fantastic. And you can follow us on Twitter as well at Smashing Security. No G. Twitter wouldn't allow us to have a G. And you can check out our online store and grab some T-shirts and mugs and stickers just in time for Christmas at smashingsecurity.com/store.
And thanks, as always, for listening. If you want to help us grow and deliver more cool content this week, get someone to leave us a review, go on and be a nice Christmas present for us. We deserve it, right? And high five to all our sponsors who make the show possible.
Yeah. Until next time. Cheerio. Bye bye.
Later. Wonderful listeners. Rock and roll boys. Thank you.
