Attackers have set up a dark web domain for their “Doxagram” site that offers for sale the email addresses and phone numbers of high-profile Instagram users.
On 5 September, The Daily Beast reporter Joseph Cox tweeted out more than two dozen domains recently purchased by Facebook in an effort to protect Instagram users’ accounts against unauthorized access.
https://twitter.com/josephfcox/status/905000462000295936
As of this writing, Instagram and Facebook together have registered at least 280 domains for “Doxagram,” a service which hackers are using to spread the email addresses and phone numbers of potentially millions of Instagram users.
On the one hand, Doxagram appears to be linked to a incident where hackers exploited a glitch in Instagram’s API to expose the email addresses and phone numbers of only high-profile members like Selena Gomez.
On the other hand, Doxagram also contains regular users’ account data, with the hackers saying they have information pertaining to more than 6 million members, reports The Daily Beast.
Doxagram, which allows anyone to harvest account information for just US $10 a record, originally appeared as a .com domain before getting the boot from its web-hosting company. The service then appeared as a .ws domain before once again going offline. Those responsible for Doxagram suspect Facebook was responsible for these takedowns.
But they’re not worried about Instagram’s efforts. In fact, they think they’re “odd.”
Cox might know whey they feel this way:
“Despite Instagram’s apparent efforts, grabbing as many related domains as possible may do little to stop the flow of this data. Not only do over 1,500 different types of domains exist, the people behind Doxagram have also launched a dark web version of their website.”
A clever move on their part. A dark web site allows the hackers to reach an audience who would truly be interested in purchasing and monetizing users’ stolen Instagram credentials. Also, the hackers don’t need a company like GoDaddy to manage a dark web location; they can do it themselves. This makes it extremely difficult to take down a dark web site unless you have the involvement of federal law enforcement.
Those responsible for Doxagram said their service has made US $4,100 across its public and dark web versions so far.
Given this active “business,” it’s important that Instagram users watch out for phishing emails, calls, or texts that attempt to steal their account credentials. They would also be wise to set up a PIN with their mobile carrier lest someone attempt to steal their phone number and port it to a device under their control.
To learn more about this story, listen to this episode of the “Smashing Security” podcast:
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
A big thank you to our sponsors, Recorded Future.
Recorded Future arms threat analysts, security operators, and incident responders to rapidly connect the dots and reveal unknown threats.
Their patented technology automatically collects and analyzes threat intelligence from technical, open, and dark web sources.
Recorded Future arms threat analysts, security operators, and incident responders to rapidly connect the dots and reveal unknown threats.
Their patented technology automatically collects and analyzes threat intelligence from technical, open, and dark web sources.
Why?
To provide invaluable context for faster human analysis and real-time integration with your existing security systems.
Sign up to their Cyber Daily newsletter and get the latest insights from Recorded Future at recordedfuture.com/intel.
Sign up to their Cyber Daily newsletter and get the latest insights from Recorded Future at recordedfuture.com/intel.
Smashing Security, Episode 41: Hacking Instagram, Facial Failures, and Spying Bosses with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Episode 41 of Smashing Security for the 7th of September, 2017.
My name is Graham Cluley, and I'm joined as ever by my good chum and co-host Carole Theriault. Hello, Carole, how are you?
Hello, hello, and welcome to Episode 41 of Smashing Security for the 7th of September, 2017.
My name is Graham Cluley, and I'm joined as ever by my good chum and co-host Carole Theriault. Hello, Carole, how are you?
I'm well, how are you?
I'm gorgeous. Oh, we're going to sing the whole episode. That'd be fun, wouldn't it?
We should do a rap one day.
I don't know.
I can get my husband to write mine.
Yeah, yeah, lucky you. And we are delighted to welcome back a special guest, David Bisson. Hi, David.
You've been on the show before, of course, but for those of you who don't know you or haven't heard of you, tell us about yourself.
You've been on the show before, of course, but for those of you who don't know you or haven't heard of you, tell us about yourself.
Well, I'm an infosec journalist. I write for a bunch of different places like Tripwire, Carbonite, and of course your site, Graham.
So yeah, constantly plugged into what's going on and yeah, just trying to raise awareness about security issues and give some helpful advice along the way.
So yeah, constantly plugged into what's going on and yeah, just trying to raise awareness about security issues and give some helpful advice along the way.
Well, you certainly do that and you're very prolific and keeping up to date with the latest computer security news, which is what we try and do on this podcast, of course.
And lots of interesting things have been happening in the last week. One thing which we've touched upon a few times, and I think it's worth touching upon as well this week.
The latest developments in regard to this is the case of Marcus Hutchins, also known as—
And lots of interesting things have been happening in the last week. One thing which we've touched upon a few times, and I think it's worth touching upon as well this week.
The latest developments in regard to this is the case of Marcus Hutchins, also known as—
I wondered whether you were going to bring that up.
Oh yeah, also known as MalwareTech.
He's the young British security researcher and WannaCry accidental hero who got arrested in the United States in relation to the Kronos banking malware.
And as you know, there's been a lot of people in the infosec community who've been supporting Marcus and even raising money to help his legal fight.
But there is something else going on as well.
Brian Krebs, of course, the famous Brian Krebs, superstar security blogger and investigative journalist, has been doing his usual thing, digging deep on the internet, and he found what he claims to be evidence that Marcus Hutchins may have left quite a shady trail for himself on various hacking forums.
He's the young British security researcher and WannaCry accidental hero who got arrested in the United States in relation to the Kronos banking malware.
And as you know, there's been a lot of people in the infosec community who've been supporting Marcus and even raising money to help his legal fight.
But there is something else going on as well.
Brian Krebs, of course, the famous Brian Krebs, superstar security blogger and investigative journalist, has been doing his usual thing, digging deep on the internet, and he found what he claims to be evidence that Marcus Hutchins may have left quite a shady trail for himself on various hacking forums.
Have you read it? It's pretty damning, I think.
Well, yeah, I have read it, and I think it's— we'll include a link in the show notes.
Certainly it does suggest that Marcus in earlier years, maybe between about 2009 and 2012 or 2013, using a variety of pseudonyms, not just lurking on these forums, but was quite active.
And it looks like dabbling on the dark side.
Certainly it does suggest that Marcus in earlier years, maybe between about 2009 and 2012 or 2013, using a variety of pseudonyms, not just lurking on these forums, but was quite active.
And it looks like dabbling on the dark side.
So how old is he now? Do you know?
I think he's about 22 or 23.
Okay. So he would have been a late teen. Yeah.
Late teen. Yeah. There's some interesting evidence which Krebs has brought up.
There's one piece which is very obvious and visual for people who don't have the patience to read the article.
There's a video on YouTube where somebody is silently demonstrating a Hotmail password cracking tool and showing how you can break into accounts that way.
And for just a couple of seconds, when the screen switches and some windows change, you can see in the background that this user is logged into an MSN Messenger window and you can see the email address, which is logged in there.
So it's curious, but there's lots more there. Go and read the Krebs article.
There's one piece which is very obvious and visual for people who don't have the patience to read the article.
There's a video on YouTube where somebody is silently demonstrating a Hotmail password cracking tool and showing how you can break into accounts that way.
And for just a couple of seconds, when the screen switches and some windows change, you can see in the background that this user is logged into an MSN Messenger window and you can see the email address, which is logged in there.
So it's curious, but there's lots more there. Go and read the Krebs article.
It's like a CSI episode.
Well, you know, it's— this is something which has really shaken the computer security industry, has been the arrest of Marcus Hutchins. Most people are very supportive of him.
He's certainly done a lot of good stuff, but it's raised questions about how many of us might have potentially done some shady things in the past.
He's certainly done a lot of good stuff, but it's raised questions about how many of us might have potentially done some shady things in the past.
Oh, David, are you going to admit to anything?
Ooh, confession time.
Get the popcorn, David.
Well, look, Carole, if we're going to start listing bad things we did in our youth, I think maybe you should take the first round. I'll join in about Christmas time.
But are we going to limit ourselves to computers rather than real life?
But are we going to limit ourselves to computers rather than real life?
Special episode here today, folks.
Look, it's important to stress Hutchins has pleaded not guilty to all 4 counts against him.
And Krebs himself says he's found no information to support the claim that he authored or sold the Kronos banking Trojan, which is the main thing that he sort of appears to be being charged in relation to.
But my message, I guess, for everyone is if you're going to pursue a career in infosec, now don't do anything illegal, obviously.
Don't do anything which might cast you in an unethical light, but also learn the elementary lessons about not leaving any digital footprints online because they may kick you up the bum later.
And Krebs himself says he's found no information to support the claim that he authored or sold the Kronos banking Trojan, which is the main thing that he sort of appears to be being charged in relation to.
But my message, I guess, for everyone is if you're going to pursue a career in infosec, now don't do anything illegal, obviously.
Don't do anything which might cast you in an unethical light, but also learn the elementary lessons about not leaving any digital footprints online because they may kick you up the bum later.
Oh my, Graham, give me a break. How is someone supposed to eradicate their digital footprints online totally?
Well, you certainly need to minimize it. Well, you certainly, there are tools which you can use.
You want to be very careful about the usernames which you use, the email addresses you might use to register domains.
This is the kind of detective work which Krebs has done to pull together the strings of evidence and say, "This looks like Hutchins was doing this." Now, maybe those were errors Hutchins made in his youth.
That all remains to be seen, right? And people do make silly choices in their lives, but maybe he's outgrown that, right? And is now a genuine member of the InfoSec community.
He certainly has contributed an awful lot, not just finding the kill switch in WannaCry.
But there are things which we can all learn, whether we are good guys or bad guys, about not leaving unnecessary breadcrumbs online, which might later come to cause us problems.
You want to be very careful about the usernames which you use, the email addresses you might use to register domains.
This is the kind of detective work which Krebs has done to pull together the strings of evidence and say, "This looks like Hutchins was doing this." Now, maybe those were errors Hutchins made in his youth.
That all remains to be seen, right? And people do make silly choices in their lives, but maybe he's outgrown that, right? And is now a genuine member of the InfoSec community.
He certainly has contributed an awful lot, not just finding the kill switch in WannaCry.
But there are things which we can all learn, whether we are good guys or bad guys, about not leaving unnecessary breadcrumbs online, which might later come to cause us problems.
So Graham, would you have any advice for people looking to start off in InfoSec? So instead of trying out all these malicious tools, what should people do instead?
Well, I think if you have an interest in these kinds of things, be very careful what sites you join and what sort of software you write.
And obviously you need to get people's permission before you try and penetrate their website or look for vulnerabilities because you may later get accused of doing things which maybe you didn't have permission to do.
So be careful about that. Go on maybe a white hat ethical hacking course, which can teach you a lot of these techniques as well.
I understand a lot of people are interested in these things.
And obviously you need to get people's permission before you try and penetrate their website or look for vulnerabilities because you may later get accused of doing things which maybe you didn't have permission to do.
So be careful about that. Go on maybe a white hat ethical hacking course, which can teach you a lot of these techniques as well.
I understand a lot of people are interested in these things.
There's a million competitions out there as well. More and more companies are putting their code out there to say, hey, if you can crack this, you know, tell us the vulnerabilities.
And I think that's an excellent way for people to kind of learn their way around the systems and do good.
And I think that's an excellent way for people to kind of learn their way around the systems and do good.
And there are genuine bug bounty programs which you can participate in and, you know, some people make a great deal of money finding these things, which is terrific if people can do that doing good rather than potentially causing problems.
I guess I could throw that in there too.
If you can, I know that there are internships with different companies and security researchers, so then you can get real hands-on experience working with someone who knows their stuff.
I think that would add an even deeper level too, but just make sure that you're going to someone reputable and just do your research.
If you can, I know that there are internships with different companies and security researchers, so then you can get real hands-on experience working with someone who knows their stuff.
I think that would add an even deeper level too, but just make sure that you're going to someone reputable and just do your research.
And they obviously, by their very nature, could be offering some sort of mentoring as well, couldn't they? Having an older grey beard next to you saying, oh, don't do that.
You know, this is how you do it properly. Because they'll have thought about these things and maybe had some of those challenges themselves in the past.
Hey, anyway, on with the show proper. And what we try and do each week is look at the stories which particularly have caught our interest.
Marcus Hutchins, we thought we have to mention that because we've chatted a little bit about it in the past. But one of the things which caught my eye is Doxagram.
Carole, are you an Instagram user?
You know, this is how you do it properly. Because they'll have thought about these things and maybe had some of those challenges themselves in the past.
Hey, anyway, on with the show proper. And what we try and do each week is look at the stories which particularly have caught our interest.
Marcus Hutchins, we thought we have to mention that because we've chatted a little bit about it in the past. But one of the things which caught my eye is Doxagram.
Carole, are you an Instagram user?
No, I am not.
Are you following Kim Kardashian? Have you seen what Kim Kardashian has done now, by the way?
All I know is that she has a big bum. That's all I know about her. Literally, I have no idea why she's famous. I have no idea if she's done anything.
You and the rest of the internet.
The latest thing that Kim has done— not the Kim who runs North Korea, of course— Kim Kardashian potentially as great a threat to civilization.
But anyway, Kim Kardashian has climbed a tree in the nude, and of course she's taken a photograph of herself and posted up on social media.
So the internet's gone completely bonkers, as always. I'm thinking about that because there has been an Instagram hack, of course.
Some people found an API bug on the Instagram site, which meant that it was possible to scoop up millions of users' email addresses and phone numbers, even if they'd set them to private.
And that's bad enough for us regular civilians, right? Us regular people in the street.
But there's another group of people who use Instagram a lot and don't want their details getting out there. And those are those celebrities, right?
But anyway, Kim Kardashian has climbed a tree in the nude, and of course she's taken a photograph of herself and posted up on social media.
So the internet's gone completely bonkers, as always. I'm thinking about that because there has been an Instagram hack, of course.
Some people found an API bug on the Instagram site, which meant that it was possible to scoop up millions of users' email addresses and phone numbers, even if they'd set them to private.
And that's bad enough for us regular civilians, right? Us regular people in the street.
But there's another group of people who use Instagram a lot and don't want their details getting out there. And those are those celebrities, right?
Well, well, they are a different class of people. Okay. I get it. All right.
Well, potentially there are more nutters who are interested in contacting them.
Well, yes, because they have a much bigger following as well. So yes, I think they probably have a bigger following.
People might have a crush on them or, you know, there may be physical danger as well, or they may be interested in trying to break into people's email accounts.
Now, no passwords have been breached as a result of this Instagram breach. And Facebook, which owns Instagram, says it's rectified the bug.
So that's preventing more data from dripping out.
But frankly, it's too late because the bad guys have already taken millions of details and they've created this searchable online database which they've called Doxagram, where you can pay a measly $10 to get the details of your favorite celebrity, and then you can ring them up.
Now, no passwords have been breached as a result of this Instagram breach. And Facebook, which owns Instagram, says it's rectified the bug.
So that's preventing more data from dripping out.
But frankly, it's too late because the bad guys have already taken millions of details and they've created this searchable online database which they've called Doxagram, where you can pay a measly $10 to get the details of your favorite celebrity, and then you can ring them up.
It's just so lame.
Wow.
So what, because celebrities aren't going to actually move themselves over to a safer address after— they're just going to sit, they're going to hang for waiting for the crowds of people to email them their love?
Hopefully they're not. But remember, this isn't just— it's not a database of 6 million celebrities. There will be celebrities.
I imagine there are other verified users of Instagram who are included in this. But I think the Instagram angle gives us all a handle which we can kind of understand about it.
And the media obviously get more excited because Hermione Granger herself, Emma Watson. She's on the list.
And the Game of Thrones actress Emilia Clarke, and Taylor Swift, and Katy Perry, and your favorite, Carole, Snoop Dogg, Britney Spears, Beckham, even the official President of the United States account.
I imagine there are other verified users of Instagram who are included in this. But I think the Instagram angle gives us all a handle which we can kind of understand about it.
And the media obviously get more excited because Hermione Granger herself, Emma Watson. She's on the list.
And the Game of Thrones actress Emilia Clarke, and Taylor Swift, and Katy Perry, and your favorite, Carole, Snoop Dogg, Britney Spears, Beckham, even the official President of the United States account.
You know, for tweens, this is a big deal, isn't it? You could get the email. Yeah, this would be huge if you were 12, 13.
Of course, because you want to contact David Cassidy, or who was your— who was your crush?
Dating yourself.
Who was your crush, Carole? Was it some Corey? There was a kid who was big in Canada.
It was very embarrassing. Yeah.
Good.
Corey Hart. Yeah.
Right. In fact, you've just gone a little, you've blushed a little bit right now, haven't you? Now, Instagram are, so the website got set up, right?
Doxagram.com got set up and Instagram got it shut down. They said, look, you can't do it, please.
They contacted the domain, the web host, and got it shut down and took the domain over. Then doxagram.ws got set up and again, it was shut down.
And Instagram and Facebook are responding to all of these sites popping up like mushrooms by purchasing loads of domain names in advance.
280 doxagram-related domain names, things like doxagram.lol, doxagram.website, doxagram.hiphop are being purchased.
You know, I guess it's not very much money for them to purchase these things. It doesn't cost much.
Doxagram.com got set up and Instagram got it shut down. They said, look, you can't do it, please.
They contacted the domain, the web host, and got it shut down and took the domain over. Then doxagram.ws got set up and again, it was shut down.
And Instagram and Facebook are responding to all of these sites popping up like mushrooms by purchasing loads of domain names in advance.
280 doxagram-related domain names, things like doxagram.lol, doxagram.website, doxagram.hiphop are being purchased.
You know, I guess it's not very much money for them to purchase these things. It doesn't cost much.
And I guess they're stuck with the brand name so they can't change away from it.
Well, they can't.
The thing is, even if they were able to purchase, which they won't be able to, purchase 1,000 different Doxagram-related domains, there's nothing to stop the bad guys creating a domain called therealdoxagram.com or something like that, is there?
The thing is, even if they were able to purchase, which they won't be able to, purchase 1,000 different Doxagram-related domains, there's nothing to stop the bad guys creating a domain called therealdoxagram.com or something like that, is there?
So it's just cat and mouse games now. Yeah, it is.
The data's out there, and we, or Instagram users at least, put their trust in this service. And once again, they failed us. Too many sites.
Graham's fussy box once again.
Well, hey, my phone number is private. I choose who I give my phone number to, right?
I tell lots of people I don't even have a mobile phone because I don't want them ever ringing me up.
I don't want to have that awkward, no, I'm not going to give you your number thing.
I tell lots of people I don't even have a mobile phone because I don't want them ever ringing me up.
I don't want to have that awkward, no, I'm not going to give you your number thing.
But do you not remember the time when I was doing a talk at some conference and you shouted out my hotel room number to the entire room?
Well, yes.
Contact me if anyone wants Graham's phone number.
As I recall, we had a slide which had a Monty Python style foot come crashing from the top of the presentation, squashing something.
And I said, you know, you had contributed your feet because you have— can I say this on—
And I said, you know, you had contributed your feet because you have— can I say this on—
Perfect feet.
I was going to say quite large. But anyway, you have— and then I want to say, I said, if you want to interest in Carole's feet and check out room number.
Anyway, yes, you're quite right. I don't, we didn't change your room number, did we? Anyway, look, I've learned my lesson, right? I've learned my lesson.
Anyway, yes, you're quite right. I don't, we didn't change your room number, did we? Anyway, look, I've learned my lesson, right? I've learned my lesson.
Step down. Okay, well, thank you very much for that. You can step down from your soapbox.
I just want to give some advice, right? Which is this. And Instagram's co-founder and CTO, Mike Krieger, has apologized.
He's posted up a message and he's telling people, look, be on the lookout for anything suspicious, unrecognized incoming calls, text messages, emails.
There's a potential for phishing here. Ransomware, of course.
And yes, you should enable two-factor authentication probably on the Instagram account, although I believe it's still only SMS-based, which some people have concerns about because that's maybe not the best way to do 2FA.
And obviously you should have strong, unique passwords on your Instagram accounts, even though this breach wouldn't necessarily have actually impacted them.
But I just want one of these websites to be better, you know?
He's posted up a message and he's telling people, look, be on the lookout for anything suspicious, unrecognized incoming calls, text messages, emails.
There's a potential for phishing here. Ransomware, of course.
And yes, you should enable two-factor authentication probably on the Instagram account, although I believe it's still only SMS-based, which some people have concerns about because that's maybe not the best way to do 2FA.
And obviously you should have strong, unique passwords on your Instagram accounts, even though this breach wouldn't necessarily have actually impacted them.
But I just want one of these websites to be better, you know?
You know what, I think accidents happen, and I think they seem to be handling it really well. They've informed everyone, they've apologized, they're closing down the sites.
You know, I think if you're hoping that nothing ever bad ever happens, you're gonna be hoping a long time.
You know, I think if you're hoping that nothing ever bad ever happens, you're gonna be hoping a long time.
Yeah.
It's big and complex. You know, there's a lot of stuff to look at, and I do think they do both take security really seriously, or more than they used to.
Well, I don't understand. I mean, Facebook offers two-factor authentication that's not SMS-based. I mean, you can use Google Authenticator or another app. Why doesn't Instagram?
I mean, that just doesn't make sense.
I mean, that just doesn't make sense.
That's true.
Yeah, they could do better there. Absolutely.
Yeah.
We live in hope, just like those delegates from the 2001 Virus Bulletin Conference lined up outside Carole's hotel room door.
I can't even remember. I can't believe you even remember the conference.
It may not have been that one. David.
Yes.
What's your topic this week?
Okay, so I heard about something that happened at the Notting Hill Carnival, which is a big street party that's usually held at the end of August.
I've never been, but looking at pictures, it looks like fun.
I've never been, but looking at pictures, it looks like fun.
It is. It's awesome and delicious and great.
I haven't been, but it's very famous here in the UK.
Well, then all the more concerning that I guess at this event, the Met deployed automated facial recognition software to try and screen who was getting into the festival area.
And apparently it didn't work out so well. Silky Carlo of Liberty went and she was talking to the police there about how they were doing with the technology.
I guess in one day alone there were 35 false positives.
And apparently it didn't work out so well. Silky Carlo of Liberty went and she was talking to the police there about how they were doing with the technology.
I guess in one day alone there were 35 false positives.
35?
Where the technology identified young women as wanted men. There were—
I don't know about that. Whoa, whoa, whoa, whoa. So there were 35 young women who were identified as wanted men?
No, no.
No, no, no. There were 35 false positives, and included in those were young women's pictures that came up, and the technology paired them with wanted men's pictures.
If I was one of those women, I would be pretty disappointed about that. In fact, I'd be pretty disappointed if I was one of the wanted men who'd been misidentified as a young woman.
Yes.
Okay.
No one wins in that situation. Especially those where there were five interventions, as they call them, leading to false identifications.
The police showed up, they questioned them, and of course they weren't wanted.
So in fact, across the entire weekend, there's only one correct match for someone who is charged with a rioting offense.
But that person had already been arrested and they weren't wanted anymore. They were asking then the police, okay, well, what do you think about this? What's your response?
And it's like, oh, we had success this weekend. We had a positive match. So I guess it's the lowest threshold here when we're measuring the success rate of technology.
They said, oh, well, we make our own analysis before stopping and arresting the identified person anyway. It's a top-of-the-range algorithm, as they called it.
The police showed up, they questioned them, and of course they weren't wanted.
So in fact, across the entire weekend, there's only one correct match for someone who is charged with a rioting offense.
But that person had already been arrested and they weren't wanted anymore. They were asking then the police, okay, well, what do you think about this? What's your response?
And it's like, oh, we had success this weekend. We had a positive match. So I guess it's the lowest threshold here when we're measuring the success rate of technology.
They said, oh, well, we make our own analysis before stopping and arresting the identified person anyway. It's a top-of-the-range algorithm, as they called it.
Have you guys ever seen that show, Person of Interest?
Oh, it's hilarious.
Yes, have you? It's great. Millions of people. That's all I remember.
But so that means basically that their facial recognition software is basically completely fake because we're really in a much earlier phase of infancy in this technology.
Is that your feel?
But so that means basically that their facial recognition software is basically completely fake because we're really in a much earlier phase of infancy in this technology.
Is that your feel?
Yeah, and it's interesting that they would even think that it would do well because I guess they tried using the same technology last year, and I guess at that festival they arrested 454 people, but the technology didn't identify one of them as being wanted or on an alert or anything like that.
So two years in a row, this technology has failed to live up to what it's supposed to do. I mean, it gets worse than that.
In 2012, the High Office ruled its collection of images and that kind of thing for police databases illegal. So then it was supposed to develop another—
So two years in a row, this technology has failed to live up to what it's supposed to do. I mean, it gets worse than that.
In 2012, the High Office ruled its collection of images and that kind of thing for police databases illegal. So then it was supposed to develop another—
So it had to dump everything it had?
No, no, it was supposed to develop another better policy within a couple of months, but it took five years to do so.
And all the while, it was still collecting these images and building this database of, I think it's 19 million mugshots now.
And all the while, it was still collecting these images and building this database of, I think it's 19 million mugshots now.
Hmm.
So now that there is a new policy, there's this whole issue of where if they want to remove themselves, they have to specifically request it, and someone can turn down that request if, I guess, it's highly ambiguous in a vague standard that it would serve a policing purpose.
So I mean, even then the police can turn them down.
So I mean, even then the police can turn them down.
Or if the police determine that you look a bit shifty or your eyes a bit too close together, they say, well, you know, on balance, we'll keep you in the database.
When someone is even matched up in one of these false matches, the database basically keeps that match on file for around three months, probably, says the Met.
So even then, you're still in the database, it's still showing up as this match.
And that's something then that you might have to deal with constantly over the course of the next three months.
So even then, you're still in the database, it's still showing up as this match.
And that's something then that you might have to deal with constantly over the course of the next three months.
Hmm.
But it gets even worse than that.
Worse?
Worse still, because when we start taking into effect people of different races and ethnicities, it becomes all the more complicated.
Because I guess most facial recognition technology is racist.
The way that it's designed, and perhaps this is a reflection of who is designing and what sort of pool of people are creating this technology, but it's just less accurate with, say, African Americans and people of color.
So when these people are showing up on the databases, and you also have to account for a higher arrest rate of people of certain races and ethnicities, that means that if there's a bias or an error rate in the database, it's going to be magnified for people of color.
You have to then wonder why we necessarily need facial recognition technology deployed everywhere.
I mean, we don't want that because we want to keep our privacy safe, and there's no reason to constantly be watching people.
But even when there is an event like this, it's very contained, it's very specific, and the technology fails so dramatically, you have to really think twice about deploying it until you cross all your T's.
Because I guess most facial recognition technology is racist.
The way that it's designed, and perhaps this is a reflection of who is designing and what sort of pool of people are creating this technology, but it's just less accurate with, say, African Americans and people of color.
So when these people are showing up on the databases, and you also have to account for a higher arrest rate of people of certain races and ethnicities, that means that if there's a bias or an error rate in the database, it's going to be magnified for people of color.
You have to then wonder why we necessarily need facial recognition technology deployed everywhere.
I mean, we don't want that because we want to keep our privacy safe, and there's no reason to constantly be watching people.
But even when there is an event like this, it's very contained, it's very specific, and the technology fails so dramatically, you have to really think twice about deploying it until you cross all your T's.
I mean, it's just I wonder if this is actually a beta test that they're running at the moment, if this is if they're just testing the software.
It could. I mean, I would give them a pass for their first year. But the fact that this has happened twice in a row now, two years in a row, just something has to change.
And in the very least, I mean, the Met should lead the way because I know other facial recognition technologies, they don't test for racial bias or any of that.
I mean, you need to run those tests. And you need to try and just improve it.
And in the very least, I mean, the Met should lead the way because I know other facial recognition technologies, they don't test for racial bias or any of that.
I mean, you need to run those tests. And you need to try and just improve it.
I think it's a pretty disappointing response by the Met Police, isn't it? Who've tried to present what they did as a success during the carnival weekend.
But in fact, clearly it was a failure. And this isn't the first time they've had this failure.
Their response to questions about how long false images are being kept doesn't really engender you with much confidence regarding how they're handling this.
So I think we just need a more grown-up and transparent approach to facial recognition being used by police services.
I mean, I think we all want the carnival to be safe and, you know, events to be safe. But clearly at the moment, this is a failure.
But in fact, clearly it was a failure. And this isn't the first time they've had this failure.
Their response to questions about how long false images are being kept doesn't really engender you with much confidence regarding how they're handling this.
So I think we just need a more grown-up and transparent approach to facial recognition being used by police services.
I mean, I think we all want the carnival to be safe and, you know, events to be safe. But clearly at the moment, this is a failure.
I know, but you know what? I don't think we should slap them on the wrist for being honest.
But to call it a success, I mean, is it? I mean, they should just as well say it's wow, I mean, we got one success, but that was a disaster overall.
We're going to do better next year.
We're going to do better next year.
Yeah, I guess we don't know what even the targets were, where the software is in its life cycle. So I think it's a difficult one to say.
One thing's for sure, we're going to see law enforcement using this kind of technology more and more, whether we like it or not, and there are going to be innocent people who will be captured on this video and may end up in databases, which is something that I think many of us are uncomfortable with.
How we can prevent that from happening? Unless you walk around with those blocking glasses that shine those lights.
I do wonder whether the problem— I mean, Carole, you've been to the Notting Hill Carnival, haven't you?
And the thing I know about the Notting Hill Carnival is they have these incredible headdresses.
If you go to Google Images, anyone who hasn't seen the other image search services are available, of course, you will be able to see some incredible pictures.
And the thing I know about the Notting Hill Carnival is they have these incredible headdresses.
If you go to Google Images, anyone who hasn't seen the other image search services are available, of course, you will be able to see some incredible pictures.
It's glorious, actually.
It's like Rio or a Caribbean carnival, isn't it?
Full of food, music, dancing, floats.
And I wonder whether that would actually impact the quality of the facial recognition. Although I suppose those are the people who are performing in the carnival.
They're not the spectators.
They're not the spectators.
Oh no, lots of people are dressed up. Like, it's, you know, it's not like you go there. I know it's England, but people actually do get in the swing of things.
Carole, what's your story for us this week?
Well, my story actually kind of aligns and follows quite nicely from David. So I want to talk about employee privacy rights.
So we can all appreciate that there's a balancing act, but where's the line? So I was kind of thinking of these questions.
So what if your employer, in the name of physical safety and possibly lower insurance premiums, places live video feeds everywhere in the workplace, including the break areas, locker rooms, and toilets?
So we can all appreciate that there's a balancing act, but where's the line? So I was kind of thinking of these questions.
So what if your employer, in the name of physical safety and possibly lower insurance premiums, places live video feeds everywhere in the workplace, including the break areas, locker rooms, and toilets?
In the toilets?
Yes. Would you say that's legal or illegal, do you think?
Well, having a camera in the loo? What, in case I slip up on something slippery and crack my head open on a basin or something?
It doesn't have to necessarily be in the cubicle, but yes. I suppose male loos are a little more public than lady loos.
I doubt you'd be able to pick up anything with a camera pointed at my urinal, to be honest with you.
Okay, moving on. Moving on.
What if an employer, right, saying that they were concerned that you were distracted at work, demanded your full online activity report for the last 6 months from IT to review what websites you visited, what you were doing, what emails you sent.
What if an employer, right, saying that they were concerned that you were distracted at work, demanded your full online activity report for the last 6 months from IT to review what websites you visited, what you were doing, what emails you sent.
It feels a bit Big Brother, doesn't it?
It sure does.
I mean, I would like to work for a company which trusted me to do my job and would judge me based upon my outcomes rather than how I got them done.
So it would be able to say, we gave you these tasks to do. You completed them by this time. Thank you very much. Good job, right?
So it would be able to say, we gave you these tasks to do. You completed them by this time. Thank you very much. Good job, right?
I couldn't agree more.
I guess it's more of a question too in that sense. It's like, well, they have to have a reason for asking for your online activity. So what have you been doing for the past 6 months?
Exactly. Well, so these kinds of questions were plaguing me after I read about Mr. Bărbulescu's case. Isn't that a glorious name? I just love his name so much.
This goes back to 2007 where Romanian employee, Mr.
Bărbulescu, was fired from his job for sending private messages to his brother on Yahoo's messaging service, and he was doing this from work.
His employer had surveillance software which monitored Bărbulescu's computer activity. He saw the messages and fired our guy. So Mr.
Bărbulescu then brought his boss to the Romanian courts for unfair dismissal, and last year in 2016—so that's a whopping 9 years later—the Romanian courts ruled that the company was within its rights to monitor employee activity.
And therefore his dismissal was legal.
This goes back to 2007 where Romanian employee, Mr.
Bărbulescu, was fired from his job for sending private messages to his brother on Yahoo's messaging service, and he was doing this from work.
His employer had surveillance software which monitored Bărbulescu's computer activity. He saw the messages and fired our guy. So Mr.
Bărbulescu then brought his boss to the Romanian courts for unfair dismissal, and last year in 2016—so that's a whopping 9 years later—the Romanian courts ruled that the company was within its rights to monitor employee activity.
And therefore his dismissal was legal.
Did they simply know he was using the Yahoo messaging service, or were they able to determine what he was sending via it?
Were they actually watching his screen to see what he was typing?
Were they actually watching his screen to see what he was typing?
They could see the messages that he was sending.
Was that a company messaging service, through Yahoo then?
No, this would be Yahoo with his own account on a work computer.
Interesting. They basically put a keylogger, some kind of spy, some kind of spyware onto his computer in order to see what he was typing to his brother.
Yeah, because surveillance software is quite a broad term, isn't it? There could be a lot of different things that could be done.
But yes, basically there could be software that takes screenshots every 30 seconds, right? There's all this stuff. So Mr. Barbelescu did not take this sitting down.
He went off to the European Court of Human Rights to challenge the decision.
And they were a little more efficient managing the court processes, though I imagine their funding is slightly higher than Romania's.
And this, just this past Tuesday, the Romanian court's ruling was overruled. They said that Mr. Barbarescu's right for privacy was not adequately protected.
So the reasons they said were that it was not clear that his communications would be monitored.
Okay, so one big thing that seems to be across the board, because I've done a little digging around, is that you need to inform your employees. That makes sense, right?
Employees need to be informed clearly. So that's a big one. And two, the reasons for monitoring the employee were not specific enough in the original case in Romanian courts. So why?
It wasn't clear whether it was kind of a vendetta or personal or whether it was actually—
But yes, basically there could be software that takes screenshots every 30 seconds, right? There's all this stuff. So Mr. Barbelescu did not take this sitting down.
He went off to the European Court of Human Rights to challenge the decision.
And they were a little more efficient managing the court processes, though I imagine their funding is slightly higher than Romania's.
And this, just this past Tuesday, the Romanian court's ruling was overruled. They said that Mr. Barbarescu's right for privacy was not adequately protected.
So the reasons they said were that it was not clear that his communications would be monitored.
Okay, so one big thing that seems to be across the board, because I've done a little digging around, is that you need to inform your employees. That makes sense, right?
Employees need to be informed clearly. So that's a big one. And two, the reasons for monitoring the employee were not specific enough in the original case in Romanian courts. So why?
It wasn't clear whether it was kind of a vendetta or personal or whether it was actually—
Yeah, it might be they simply wanted to get rid of him for some other reason.
They said, oh, you've been sending lots of messages to your brother, so you're going to have to clear off, you know.
They said, oh, you've been sending lots of messages to your brother, so you're going to have to clear off, you know.
Now, the European Court says the ruling does not mean that firms cannot now monitor employee communications at work.
Okay, they can still dismiss employees for private use of email and other devices and services, but they cannot reduce a person's social life in the workplace to zero.
So I went to the ACLU to look into the states to see what— and I was kind of expecting it to be— there'd be a lot more monitoring in the states.
But it seems that employers must notify employees and applicants of electronic monitoring policies. Okay, check.
Employers must provide a visual or oral signal to employees and customers before monitoring. So you didn't say, "Now I'm turning it on." So that's interesting.
Employers must provide employees access to all data obtained by electronic monitoring.
Okay, they can still dismiss employees for private use of email and other devices and services, but they cannot reduce a person's social life in the workplace to zero.
So I went to the ACLU to look into the states to see what— and I was kind of expecting it to be— there'd be a lot more monitoring in the states.
But it seems that employers must notify employees and applicants of electronic monitoring policies. Okay, check.
Employers must provide a visual or oral signal to employees and customers before monitoring. So you didn't say, "Now I'm turning it on." So that's interesting.
Employers must provide employees access to all data obtained by electronic monitoring.
You were saying that they have to visually tell you, we are now monitoring you?
So, yes. So employers must provide a visual or oral signal.
So these are— yeah, they have to basically give a cue to the employee that, hey, we're now switched on and we're recording.
So these are— yeah, they have to basically give a cue to the employee that, hey, we're now switched on and we're recording.
So it's like, live, we're now watching what you're up to. Please carry on.
Is it like HAL from 2001: A Space Odyssey? It's like, oh, you can't do that, Dave.
And they're prohibited from using electronic monitoring to obtain data that is not relevant to work performance.
And your question, you know, to the little question I asked earlier, in the States, you cannot monitor restricted areas, including restroom, locker rooms, and lounges.
So now how does that compare to the UK?
And your question, you know, to the little question I asked earlier, in the States, you cannot monitor restricted areas, including restroom, locker rooms, and lounges.
So now how does that compare to the UK?
By the way, that's kind of ironic that they won't put cameras inside American restrooms. Because in my experience, I think we may have touched upon this in past podcasts.
In my experience, the privacy of American restrooms is absolutely diabolical compared to our decent European ones.
In my experience, the privacy of American restrooms is absolutely diabolical compared to our decent European ones.
It does leave something to be desired, I think. Yes.
I'm not even going to get into the story about when I was in that restaurant and the camera came under the— anyway, we won't go there.
But anyway, it is discussed in one of our early episodes with Anja Schweitzer.
But anyway, it is discussed in one of our early episodes with Anja Schweitzer.
Listen and you'll hear it.
Now in the UK, your employer can legally monitor your use of the phone, internet, email, and fax, if any company out there still has one, if the monitoring relates to the business, one, if the equipment being monitored is provided partly or wholly for work, and if your employer has made all reasonable efforts to inform you that your communication will be monitored.
OK, so this is where it gets quite interesting in the UK.
So based on those three, as long as they follow those three rules, they can check calls to confidential helplines that an employee might be making.
So in this case, your employer can listen in but is not allowed to record these calls.
Can you imagine if you're calling a suicide hotline and your employer is sitting there listening in?
Now in the UK, your employer can legally monitor your use of the phone, internet, email, and fax, if any company out there still has one, if the monitoring relates to the business, one, if the equipment being monitored is provided partly or wholly for work, and if your employer has made all reasonable efforts to inform you that your communication will be monitored.
OK, so this is where it gets quite interesting in the UK.
So based on those three, as long as they follow those three rules, they can check calls to confidential helplines that an employee might be making.
So in this case, your employer can listen in but is not allowed to record these calls.
Can you imagine if you're calling a suicide hotline and your employer is sitting there listening in?
It is a bit alarming, isn't it, that this sort of thing can be going on?
I think what we need to do is we all need to be very clear about what we've agreed to in the workplace, because these aren't our own devices. We are using someone else's technology.
We're using phones and email systems, which they are paying for.
I think what we need to do is we all need to be very clear about what we've agreed to in the workplace, because these aren't our own devices. We are using someone else's technology.
We're using phones and email systems, which they are paying for.
Yep. And they are allowed to open up your emails, listen to your voicemail.
They are allowed, and this is in the UK, they are allowed to check whether you're using the internet or email for personal use.
An interesting thing as well is for people looking, you know, to applicants, job applicants.
So there seems to be a number of situations where potential employers are asking to be furnished with the social media passwords.
Now, this is something I remember reporting on maybe 5, 10 years ago, and it still seems to be happening.
However, there doesn't seem to be any legal ramification if they choose not to hire you, if you choose not to give your password.
They are allowed, and this is in the UK, they are allowed to check whether you're using the internet or email for personal use.
An interesting thing as well is for people looking, you know, to applicants, job applicants.
So there seems to be a number of situations where potential employers are asking to be furnished with the social media passwords.
Now, this is something I remember reporting on maybe 5, 10 years ago, and it still seems to be happening.
However, there doesn't seem to be any legal ramification if they choose not to hire you, if you choose not to give your password.
But why would you want— I mean, even if you didn't give them your password, the sheer fact that they are asking you for that password should set off alarm bells in your head.
Is this the kind of company you want to work for?
Is this the kind of company you want to work for?
No, I think if you have that opportunity to be able to turn it down, do it. If you do not, I suggest you give it to them and change it pronto and just hope— Oh my goodness.
Because you're not just putting yourself at risk, you're putting everyone who's connected and trusts you at risk too.
Because you're not just putting yourself at risk, you're putting everyone who's connected and trusts you at risk too.
And of course, you could have two-factor authentication in place, which means that every time they try and access those accounts, they have to come to you and say, "We want to go into your account." You go, "Oh, do you?" Just keep giving them wrong codes.
Yeah. Now, these are things you can do. I would suggest definitely that you find out what your company's monitoring policy is.
They should be able to— they need to provide that to you if you request it.
And you want to maybe check your contracts and your work handbooks to see if you've been informed about surveillance within the office place and what it involves.
And if you're going to do personal stuff, I would avoid using work equipment and work accounts and Wi-Fi from the company if you have very sensitive personal communications.
And remember, of course, the safe computing practices, the VPN, the two-factor, the strong passwords on all your devices.
They should be able to— they need to provide that to you if you request it.
And you want to maybe check your contracts and your work handbooks to see if you've been informed about surveillance within the office place and what it involves.
And if you're going to do personal stuff, I would avoid using work equipment and work accounts and Wi-Fi from the company if you have very sensitive personal communications.
And remember, of course, the safe computing practices, the VPN, the two-factor, the strong passwords on all your devices.
I guess the good news now is here we are in 2017, most of us have smartphones.
So you don't necessarily need to use your corporate laptop or corporate desktop computer to communicate personal stuff, you can use that phone instead.
You can even make sure that it's not on the company Wi-Fi and it's using 3G.
And maybe you can install an app, something like Signal or whatever, if you want to be ultra paranoid to secure the communications as well.
So you just have to be a little bit more careful. But I think your advice about checking out what your company contracts and what you've actually agreed to may make sense.
So you don't necessarily need to use your corporate laptop or corporate desktop computer to communicate personal stuff, you can use that phone instead.
You can even make sure that it's not on the company Wi-Fi and it's using 3G.
And maybe you can install an app, something like Signal or whatever, if you want to be ultra paranoid to secure the communications as well.
So you just have to be a little bit more careful. But I think your advice about checking out what your company contracts and what you've actually agreed to may make sense.
And remember, there may be things in the contract that aren't actually legal within your jurisdiction.
And even if you're not doing anything wrong, there might be some creepy guy or gal in the IT department who has the access rights to do these things, who might potentially abuse it.
Maybe if they don't like you, maybe if they like you too much. And you want to protect yourself against that kind of thing, don't you?
Maybe if they don't like you, maybe if they like you too much. And you want to protect yourself against that kind of thing, don't you?
You know, that happened to me actually.
Really?
Yeah, that happened to me. An IT guy came up to me once and told me something from a personal email, and I couldn't believe it.
But that was the wake-up call for me that I realized, you know, they have full access.
But that was the wake-up call for me that I realized, you know, they have full access.
Yeah.
I mean, to emphasize that point too, besides getting that monitoring policy, I mean, you would hope that a company would do its due diligence and train their employees, have a refresher every year or something just to go over.
It's like, okay, just remember, we're doing this. If you have any questions and then they can talk to their employees about that.
I mean, of course, we know that's not the case with every organization, but everyone that's worth its salt should make sure that their employees know what they're doing.
I mean, to emphasize that point too, besides getting that monitoring policy, I mean, you would hope that a company would do its due diligence and train their employees, have a refresher every year or something just to go over.
It's like, okay, just remember, we're doing this. If you have any questions and then they can talk to their employees about that.
I mean, of course, we know that's not the case with every organization, but everyone that's worth its salt should make sure that their employees know what they're doing.
Yeah, totally. Totally.
Good stuff. Well, thank you, Carole. Some really sensible advice for all of us there and things for us to think about. I'm kind of glad I don't have a boss other than myself.
I am too. I am too. This episode of Smashing Security is brought to you in part by Recorded Future.
Recorded Future is the real-time threat intelligence company whose patented machine learning technology continuously analyzes technical, open, and dark web sources to give organizations unmatched insight into emerging threats.
Sign up for free daily threat intelligence updates at recordedfuture.com/intel.
Recorded Future is the real-time threat intelligence company whose patented machine learning technology continuously analyzes technical, open, and dark web sources to give organizations unmatched insight into emerging threats.
Sign up for free daily threat intelligence updates at recordedfuture.com/intel.
Welcome back to the show, and it's the segment of the show that we like to call Pick of the Week.
Ah, Pick of the Week. Pick of the Week.
Pick of the Week could be a funny story, a book that we've read, a TV show, a movie, a record, an app. It doesn't have to be security related.
Basically a kind of recommendation, maybe.
Something we like.
Something we like.
And I'm gonna start with my Pick of the Week. And I took my wife out to the cinema. We went out on a date, very exciting. And I went to see a movie called The Big Sick.
It might have been out for a few weeks actually, but you know what it's like. We're a little bit late on these things.
It might have been out for a few weeks actually, but you know what it's like. We're a little bit late on these things.
Graham, I just need to know, did you fall asleep in the movie? Because I don't think I've ever seen you in a movie theater not snoring away.
I did not fall asleep.
Not once.
Not once. And that is my recommendation for The Big Sick. It's a movie I didn't fall asleep during.
Should that be your recommendation for a date night in general? Don't fall asleep.
I know, David, seriously, it is pretty impressive.
We were once stuck in some place for some conference, and we were watching this— it was a boring movie, but he did fall asleep about 40 times.
We were once stuck in some place for some conference, and we were watching this— it was a boring movie, but he did fall asleep about 40 times.
Wow.
I just had a stick in my hand and I just kept poking him.
Stick of the week.
Anyway, stick of the week. So, The Big Sick. Now, I didn't tell my wife in advance what it was going to be about, right?
Because that's the way I like to play my dates, with a little bit of danger spliced in.
Because that's the way I like to play my dates, with a little bit of danger spliced in.
Not telling you.
I just told her we're going to the movies, we're going to see a movie called The Big Sick.
And she gave me that look like, oh my goodness, is this going to be another one of your documentaries about a vomitarium or something like this? You know, what is this going to be?
Will I like it? And I said, trust me, trust me, trust me. And it's actually surprisingly a romantic comedy. Now normally rom-com just fills me with dread, right?
But this is a good one.
It stars a guy called Kumail Nanjiani and also an actress called Zoe Kazan, and it's the typical story: guy meets girl, he's Pakistani, she's white American, they break up and she falls into a medically induced coma.
It is fun for all the family. It is genuinely enjoyable. It's brilliantly acted, well written, and funny, and I recommend you go and see The Big Sick.
We need more movies like this rather than the normal sort of Hollywood dross. So I enjoyed it. And that is my pick of the week, The Big Sick. David, what's your stick of the week?
And she gave me that look like, oh my goodness, is this going to be another one of your documentaries about a vomitarium or something like this? You know, what is this going to be?
Will I like it? And I said, trust me, trust me, trust me. And it's actually surprisingly a romantic comedy. Now normally rom-com just fills me with dread, right?
But this is a good one.
It stars a guy called Kumail Nanjiani and also an actress called Zoe Kazan, and it's the typical story: guy meets girl, he's Pakistani, she's white American, they break up and she falls into a medically induced coma.
It is fun for all the family. It is genuinely enjoyable. It's brilliantly acted, well written, and funny, and I recommend you go and see The Big Sick.
We need more movies like this rather than the normal sort of Hollywood dross. So I enjoyed it. And that is my pick of the week, The Big Sick. David, what's your stick of the week?
Okay, so my stick of the week is—
Why stick?
Because it's the stick you poke me with at the cinema. This is a joke that David and I have incorporated into the narrative.
Okay, carry on, erase this.
All right, so my pick of the week, stick of the week, whatever you call it, is Above and Beyond's Group Therapy.
So Above and Beyond is a very well-known progressive trance, electronic DJ band. I think they're based in the UK.
And every week they do this radio show where they play their music and a bunch of other artists' music. It's some of the best and newest electronic music out there.
So it's just incredible. I know it's at 2 o'clock, I believe, in the Eastern time zone, so that must place it at around 7 in London time, I believe.
So it's a great way to unwind, get ready for the weekend. You can listen to it on YouTube. I know they also have it on Apple Podcasts and Spotify.
And just as a plug for them, I don't know if there are any tickets left, but they are celebrating their 250th group therapy session in Washington State.
So Above and Beyond is a very well-known progressive trance, electronic DJ band. I think they're based in the UK.
And every week they do this radio show where they play their music and a bunch of other artists' music. It's some of the best and newest electronic music out there.
So it's just incredible. I know it's at 2 o'clock, I believe, in the Eastern time zone, so that must place it at around 7 in London time, I believe.
So it's a great way to unwind, get ready for the weekend. You can listen to it on YouTube. I know they also have it on Apple Podcasts and Spotify.
And just as a plug for them, I don't know if there are any tickets left, but they are celebrating their 250th group therapy session in Washington State.
That's not a yearly event.
No, it's weekly.
It's a weekly event. It's a weekly radio show. And yeah, they're doing that on September 16th and 17th. So if you like that music, I highly recommend it.
It's great for running, for all you running fans out there.
It's great for running, for all you running fans out there.
Is that why you're principally a fan of trance and electronic?
Yeah, well, I can't say that I'm a fan of this kind of music in general.
It's something about Above and Beyond, the way that they blend it together and how it's a little more— I guess that gets more into the trance-like state of the music, how it's just, it's very easy listening and you can get lost in it.
So it's really relaxing.
It's something about Above and Beyond, the way that they blend it together and how it's a little more— I guess that gets more into the trance-like state of the music, how it's just, it's very easy listening and you can get lost in it.
So it's really relaxing.
Well, okay, we will put some links in the show notes. I must admit it's a completely alien world to me. I've just about caught up with Alma Cogan.
That's about how close I am to the modern day, but it's in the '60s, Carole.
That's about how close I am to the modern day, but it's in the '60s, Carole.
You should give it a try, Graham.
But anyway, thank you very much. I will go and check. Well, sure I will. Why not? Let's check it out. And Carole, what's your pick of the week?
Well, I have a little time waster for any of you at work who need 5 minutes that won't get you in too much trouble, as long as your employers don't mind you visiting a Google News Lab site called howtofixatoilet.com.
So I recommend you guys go check it out now so we can get live feedback. So this has been created by Simon Rogers and Alberto Cairo.
And what they wanted to know was what are the top 100 how-tos and how does it change depending on where you are in the world?
So one of their sections, for example, and I'm very interested, Graham, in seeing what you think about the site, because it's quite modern.
And I have a feeling I'm looking at it right now. It's a bit whiz-bang.
So I recommend you guys go check it out now so we can get live feedback. So this has been created by Simon Rogers and Alberto Cairo.
And what they wanted to know was what are the top 100 how-tos and how does it change depending on where you are in the world?
So one of their sections, for example, and I'm very interested, Graham, in seeing what you think about the site, because it's quite modern.
And I have a feeling I'm looking at it right now. It's a bit whiz-bang.
Yeah, there's a lot going on on the screen. And oh my goodness, when you move the mouse over things.
I know. It is actually quite irritating, I found it.
So are these Google employees who've made this site?
Yep, I know.
During work time?
During work time.
Was no one monitoring what they were doing?
It is.
I think they had a lot of fun with some of their surveys. Services, right?
Oh my goodness, it goes crazy.
But I don't think the end result is a relaxing or enjoyable experience. But the information's kind of cool. For example, there's one section on how to fix stuff around the house.
And it turns out North Americans and East Asians need to fix their toilets. People from former Soviet countries are fearless enough to attempt fixing their own washing machines.
And in warmer climates, they can't live without fridges.
So there's all these kind of— oh, and Eastern Europeans love to fix their— you know, always looking up how to fix their light bulbs. So they have these sections on cooking.
They have apparently how to tell if someone likes you and all that other love stuff is a huge area, which is not surprising, but it's quite sweet.
It's how do you know, how do you kiss a boy, you know, how do you ask someone?
And it turns out North Americans and East Asians need to fix their toilets. People from former Soviet countries are fearless enough to attempt fixing their own washing machines.
And in warmer climates, they can't live without fridges.
So there's all these kind of— oh, and Eastern Europeans love to fix their— you know, always looking up how to fix their light bulbs. So they have these sections on cooking.
They have apparently how to tell if someone likes you and all that other love stuff is a huge area, which is not surprising, but it's quite sweet.
It's how do you know, how do you kiss a boy, you know, how do you ask someone?
That's what I want to find out, Carole. Yeah, okay, thanks. No, no, you heard it here, folks. I was bored up until then, but suddenly, oh no, I'm interested.
How to tell if a guy really likes me. Oh yeah, okay.
How to tell if a guy really likes me. Oh yeah, okay.
Pounds is another one.
Graham, cheeky.
A lot of these people seem to have problems with bugs. There's so many bugs. Get rid of bed bugs and ants and fleas.
How to play the guitar crawl. Yeah, I've seen that one.
Yeah, I'm so advanced now. So, no, so it's quite a fun site. The info— I mean, again, I don't the layout at all, but I find the information quite fun. So enjoy that, people.
So that is howtofixatoilet.com.
So that is howtofixatoilet.com.
Oh, you could spend a lot of time on this site, couldn't you? This would be a great time waster. You're welcome. How to make slime.
Yeah, I was just yeah, how to do the cup song from Pitch Perfect.
Strange. Okay, Carole, thank you for your pick of the week. And I think with that, it's the end of the show. Thank you very much, David, for joining us on today's episode.
If people want to follow you online or find out more about you, where's the— what's the best way for them to how do they do that?
If people want to follow you online or find out more about you, where's the— what's the best way for them to how do they do that?
You can go on to Twitter. I'm @dmbisson. I'm also on Facebook, Google+ under just David Bisson. Search me and I should be one of the first ones to pop up.
Cool. And if you want to follow Smashing Security on Twitter, you can find us @smashinsecurity. There's no G. They didn't allow us that many characters. Smashing Security.
And we've got a Facebook group which you can get to via smashingsecurity.com/facebook. Facebook, and we have swag. You can buy t-shirts and mugs and all kinds of other goodies.
Someone bought a sticker the other day from smashingsecurity.com/store. Well, all that remains is to thank you, David.
Thank you, Carole Theriault, for joining us once again this week, and thank you at home for listening as well. If you like the show, tell your friends, leave a review on iTunes.
Please leave a review, though not a nasty one like the one we got this week.
And we've got a Facebook group which you can get to via smashingsecurity.com/facebook. Facebook, and we have swag. You can buy t-shirts and mugs and all kinds of other goodies.
Someone bought a sticker the other day from smashingsecurity.com/store. Well, all that remains is to thank you, David.
Thank you, Carole Theriault, for joining us once again this week, and thank you at home for listening as well. If you like the show, tell your friends, leave a review on iTunes.
Please leave a review, though not a nasty one like the one we got this week.
Yes, I wouldn't say yes. Yes.
No, what?
I was named in that one.
Oh yes, you were.
Yeah.
Okay, don't look that up, folks. You can find past episodes or drop us a line via smashingsecurity.com as well. Until next time, cheerio.
Bye-bye. Toodle-oo. Bye.
Man, you guys have too much fun on this. It must be so much fun to do this every week.
Why do you have a picture of a muppet on a phone for the main image?