Mathy Vanhoef has discovered what may be the biggest vulnerability of the year – a flaw in the WPA2 protocol used to encrypt Wi-Fi communications.
In the wrong hands, an attacker could exploit the vulnerability in WPA2’s handshake protocols to intercept sensitive information such as passwords. At risk-devices include those running Android, Apple, Linux, OpenBSD and Windows operating systems.
Vanhoef describes the attack as being “exceptionally devastating against Linux and Android 6.0 or higher.”
However, don’t panic too much.
Much of the web these days (and an increasing number of apps) are using HTTPS/SSL for encryption, limiting the opportunities for stealing information through the KRACK attack.
Furthermore, an attacker has to be within range of your Wi-Fi network to launch a KRACK attack against it. This isn’t something that a hacker on the other side of the world can use to spy on you.
Finally, Wi-Fi hardware vendors were informed responsibly of the KRACK attack from July onwards, long before it was made public – meaning that many have been beavering away developing fixes. Accordingly, there is a long list of advisories from many different vendors that you can peruse at your leisure.
The rules haven’t changed – reduce the risk by patching your devices as soon as security updates are released. And, if you have access to a trusted VPN service, use it to add an additional layer of protection!
Oh and a side note. Developers who *hadn’t* been properly following the WPA2 specification ironically found that their software *wasn’t* vulnerable to exploitation. There’s really no justice in the world, is there?
Hear more about KRACK in this episode of the “Smashing Security” podcast:
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Hi everyone, this show wouldn't be possible without the support of sponsors, and this episode of Smashing Security is sponsored in part by Netsparker. So big thanks to them.
Netsparker are a web application security scanner, and what they do is they can automatically find security flaws in your website and they can fix them before hackers can exploit them.
So if you want to automatically check your web applications for cross-site scripting, SQL injection, and other vulnerabilities and coding errors that can leave you and your business exposed to malicious hacker attacks, then you need something like NetSparker.
Try it out now. Go and download a demo from www.netsparker.com/smashing. That's netsparker.com/smashing. And on with the show.
Smashing Security, Episode 48: Crack, North Korea, Ransomware and an 18th-century cyberattack with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to another episode of Smashing Security, number 48 for the 19th of October, 2017.
My name is Graham Cluley, and I'm joined as always by my good chum and co-host, Carole Theriault. Hello, Carole, how are you? Hello.
Netsparker are a web application security scanner, and what they do is they can automatically find security flaws in your website and they can fix them before hackers can exploit them.
So if you want to automatically check your web applications for cross-site scripting, SQL injection, and other vulnerabilities and coding errors that can leave you and your business exposed to malicious hacker attacks, then you need something like NetSparker.
Try it out now. Go and download a demo from www.netsparker.com/smashing. That's netsparker.com/smashing. And on with the show.
Smashing Security, Episode 48: Crack, North Korea, Ransomware and an 18th-century cyberattack with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to another episode of Smashing Security, number 48 for the 19th of October, 2017.
My name is Graham Cluley, and I'm joined as always by my good chum and co-host, Carole Theriault. Hello, Carole, how are you? Hello.
I just wondered if you say my name badly, because then that way the show is just associated with you. And just your name.
What?
So how am I saying your name badly?
Carole.
That's what I said, wouldn't I?
Okay, yes it is. I'm doing great, thanks Graham. How are you?
48 episodes in about 20 years. You would think I would know by now. I'm gorgeous, actually. And talking of gorgeous, we are joined by a gorgeous special guest.
Now I'm going to have to take a little bit of a run-up at his name. Okay, here we go. Martijn Grooten.
Now I'm going to have to take a little bit of a run-up at his name. Okay, here we go. Martijn Grooten.
Come on. Martijn Grooten.
Hello. Yeah, that is quite accurate, actually.
You see?
I don't think I get invited on podcasts a lot, because no one dares to pronounce my name. So kudos to you for doing it quite well.
And Martijn, you are the sort of— you're the big boss at virusbulletin.com, aren't you, who organized the VB conference, which just happened in Madrid.
I was sorry to miss it, but Carole was there.
I was sorry to miss it, but Carole was there.
She was. I'm the editor, so I'm the one going up on stage at the very beginning and at the very end. And in between them, we have some awesome talks.
And for those people who don't live and breathe this industry, what do you do?
We publish technical articles, we test security software, and we have a conference where people talk about these attacks and defenses against them, and people from around the world get together and discuss these things.
It's a great conference. I've been going for years.
Yeah, there's a great vibe there, isn't there? And there's lots of smart people.
And if you run an antivirus on your computer, which I jolly well hope you are, then the Virus Bulletin Conference is a fantastic opportunity to actually chat with the people who write your antivirus software, the people who actually develop it.
Thank you, Martijn. Great to have you joining us on the show.
As always, if you've heard the show before, you'll know that what we do is we look back over the last 7 days at news stories which have caught our eye, and we have a little bit of a chat about them.
And I want to start off by telling you this.
And if you run an antivirus on your computer, which I jolly well hope you are, then the Virus Bulletin Conference is a fantastic opportunity to actually chat with the people who write your antivirus software, the people who actually develop it.
Thank you, Martijn. Great to have you joining us on the show.
As always, if you've heard the show before, you'll know that what we do is we look back over the last 7 days at news stories which have caught our eye, and we have a little bit of a chat about them.
And I want to start off by telling you this.
Okay, I'm listening. All ears.
It's 2014, and on a covert mission in North Korea, the world's most secretive nation, a British nuclear scientist is taken prisoner, triggering an international crisis, which itself must be kept secret.
That is the premise of a controversial British TV drama series called "Opposite Number," which was announced in 2014 by Channel 4, being made by a production company called Mammoth Screen.
That is the premise of a controversial British TV drama series called "Opposite Number," which was announced in 2014 by Channel 4, being made by a production company called Mammoth Screen.
Okay, I have no idea where you're going with this.
Well, what's interesting about this is, of course, if you try and make a controversial British drama series flipping the lid on North Korea, it turns out North Korea isn't very keen on that, 'cause that's what they're worried about.
They're worried about people watching TV late at night and thinking, "Oh, that North Korea, I'm not gonna go there on holiday." It's hurting their stellar reputation as a holiday destination.
It must be.
Well, it must be because North Korea's most senior military body, the National Defense Commission, said that the UK authorities should, quote, "punish those behind the project." Oh dear.
Because they said it was a slanderous farce that should be thrown into a cesspit. Interestingly enough, now this TV show wasn't ever made.
So it was announced and North Korea reacted. And they didn't just react in the press by making statements grumbling about the project.
They're worried about people watching TV late at night and thinking, "Oh, that North Korea, I'm not gonna go there on holiday." It's hurting their stellar reputation as a holiday destination.
It must be.
Well, it must be because North Korea's most senior military body, the National Defense Commission, said that the UK authorities should, quote, "punish those behind the project." Oh dear.
Because they said it was a slanderous farce that should be thrown into a cesspit. Interestingly enough, now this TV show wasn't ever made.
So it was announced and North Korea reacted. And they didn't just react in the press by making statements grumbling about the project.
That's a pretty harsh statement. That's a Trump-level statement, isn't it? Really?
Yeah, exactly. It's guys, guys, wait until you've seen the show. Right, before thrown into a cesspit.
And there are other Channel 4 shows which certainly should be thrown into a cesspit. Have you ever seen Naked Attraction?
And there are other Channel 4 shows which certainly should be thrown into a cesspit. Have you ever seen Naked Attraction?
I have never had the pleasure.
No, I have never watched it.
It is completely vile and possibly presents a bigger threat to the future of civilization than North Korea itself.
So that's the kind of show which should be thrown into a cesspit in my point of view. But North Korea very upset about this drama, even though they'd never actually seen it.
Now, Mammoth Screen, who were planning to make the show, have claimed that they suffered a cyber attack. You see, now this is why it all comes back to us, you see.
Now, it isn't clear exactly what kind of nature of attack it was, which they suffered, but the BBC says that a TV executive had described it as them running around with their hair on fire.
So that's the kind of show which should be thrown into a cesspit in my point of view. But North Korea very upset about this drama, even though they'd never actually seen it.
Now, Mammoth Screen, who were planning to make the show, have claimed that they suffered a cyber attack. You see, now this is why it all comes back to us, you see.
Now, it isn't clear exactly what kind of nature of attack it was, which they suffered, but the BBC says that a TV executive had described it as them running around with their hair on fire.
What, the people at Mammoth Screen?
Well, it could have been the actors. Maybe they were getting into character as Kim Jong-un. Maybe they were singing his, you know, tonsorially.
Maybe they're fixing his hair or something. I don't know. But Martijn, this isn't the first time North Korea has been accused of hacking into media companies, is it?
Maybe they're fixing his hair or something. I don't know. But Martijn, this isn't the first time North Korea has been accused of hacking into media companies, is it?
They are alleged to have been behind the Sony hack of late 2014, which was one of the most prominent hacks of the past years. And that's quite a bit of competition.
Yeah, there was a lot of information which spilled out of their private emails, databases, you know, huge amount of damage was done both to the brand and to obviously the working of Sony Pictures who were planning that, well, they were making that comedy movie, weren't they?
With, I think it was Seth Rogen or someone was in it, all about Kim Jong-un and about sort of an assassination attempt against North Korea's dictator.
I've never been quite sure whether I believed this story that North Korea was behind that hack or not, although that seems to be the official line.
But the timeline does fit in kind of with this attack on Mammoth Screen as well, although we don't know whether they also had skulls full of blood sort of appearing on their screens scary messages.
With, I think it was Seth Rogen or someone was in it, all about Kim Jong-un and about sort of an assassination attempt against North Korea's dictator.
I've never been quite sure whether I believed this story that North Korea was behind that hack or not, although that seems to be the official line.
But the timeline does fit in kind of with this attack on Mammoth Screen as well, although we don't know whether they also had skulls full of blood sort of appearing on their screens scary messages.
Well, if people stop making documentaries that are insightful or revealing because they're afraid of being attacked, that's a bad thing.
It's a bad thing for the arts, it's a bad thing for news, it's a bad thing for information sharing.
It's a bad thing for the arts, it's a bad thing for news, it's a bad thing for information sharing.
Well, absolutely. But I also think, haven't North Korea got better things to do with their time?
I mean, if this is true, is this a sign that their leadership are completely crazy ape bonkers if they think, oh, what we need to worry about is some TV show going on in Britain?
Rather than, I don't know, dealing with starving populations or dealing with that crazy-haired loon elsewhere who's planning to bomb us or, you know, something like that.
I mean, if this is true, is this a sign that their leadership are completely crazy ape bonkers if they think, oh, what we need to worry about is some TV show going on in Britain?
Rather than, I don't know, dealing with starving populations or dealing with that crazy-haired loon elsewhere who's planning to bomb us or, you know, something like that.
Or it's a smokescreen, Mr. Cluley. It's a smokescreen to get you talking about this — what else is going on right now?
Oh, do you think that's the reason?
Just conspiracy theory number 24. I'm just saying.
It also helps to emphasize the point that they're strong, at least to their opponents. Like, hey, we are big and strong and don't mess with us.
Look what we can do. Yeah.
But yeah, we're not 100% sure whether North Korea was behind the Sony attack.
I think the attribution is fairly credible, but it could also be that it was North Korea through some foreign, possibly Chinese mercenaries, which is a theory I've also heard.
I think the attribution is fairly credible, but it could also be that it was North Korea through some foreign, possibly Chinese mercenaries, which is a theory I've also heard.
It's a strange one, isn't it? I wonder whether this will impact any other organizations who are thinking of, like you said, Carole.
Yeah, and bringing this all up to us, right, this show opposite number, you're basically saying it's never going to see light of day.
No, apparently it doesn't look like it's going to come out. Apparently they didn't manage to get funding. Whether that's because of the cyber attack or not, I don't know.
Is the cyber attack a bit of an excuse, maybe?
Is the cyber attack a bit of an excuse, maybe?
When apparently did the cyber attack happen?
It happened in late 2014.
It's around the same time as the Sony attack.
What happened this week to make this a news topic?
Oh, because—
Just out of interest.
Well, the New York Times revealed this. This hasn't previously been known about. It's just leaked out that this happened.
Channel 4 was targeted, BBC did a little bit of digging around, said actually, although it's a Channel 4 show, it was being made by another company and they, Mammoth Screen, who were targeted instead.
It does tie in with the Sony Pictures hack as well, and of course, North Korea is an awful lot in the news at the moment, isn't it?
Channel 4 was targeted, BBC did a little bit of digging around, said actually, although it's a Channel 4 show, it was being made by another company and they, Mammoth Screen, who were targeted instead.
It does tie in with the Sony Pictures hack as well, and of course, North Korea is an awful lot in the news at the moment, isn't it?
Okay.
So who knows about the truth of it or not? Doesn't sound like that show is necessarily going to be made. I'm not sure if that has any great loss.
Mammoth Screen went on to make Victoria, if you ever saw Victoria about Queen Victoria. Very uncontroversial — no one's complaining about Victoria, are they?
Mammoth Screen went on to make Victoria, if you ever saw Victoria about Queen Victoria. Very uncontroversial — no one's complaining about Victoria, are they?
Prince Philip hasn't hacked Mammoth.
He has. No, no, no.
So do you think North Korea goes after podcasts that talk about its leader?
I would love them to do that.
No, Graham.
No, of course we would.
No. Next.
Isn't he fantastic?
What do you like? Just honestly.
Martijn, over to you.
Okay, so my story is about KRACK. And that's KRACK spelled with a K, so don't get confused with the drug.
It is a vulnerability in WPA2, which you may not have heard about, but that is the protocol used for Wi-Fi, which I'm sure you've heard about and I'm sure you use every day.
And I'm also fairly sure that people listening to the show have protected their Wi-Fi network with a password so that their neighbors can't listen in on that internet traffic.
This KRACK vulnerability essentially means that your neighbors can listen in on your internet traffic.
It is a vulnerability in WPA2, which you may not have heard about, but that is the protocol used for Wi-Fi, which I'm sure you've heard about and I'm sure you use every day.
And I'm also fairly sure that people listening to the show have protected their Wi-Fi network with a password so that their neighbors can't listen in on that internet traffic.
This KRACK vulnerability essentially means that your neighbors can listen in on your internet traffic.
Oh, great.
Which is pretty bad. And it's so bad that The Independent wrote, "Almost every Wi-Fi in the world has been hacked," which is quite a bit of an exaggeration.
It's a scary title.
It is a very scary title.
It's good for clicks.
I mean, a vulnerability is not the same as being hacked.
In fact, and this is partly why I chose to cover this, it's been widely reported, this story — BBC, Guardian, everyone's been writing about it.
And things actually aren't all that bad.
In fact, and this is partly why I chose to cover this, it's been widely reported, this story — BBC, Guardian, everyone's been writing about it.
And things actually aren't all that bad.
Okay.
Firstly, for complicated reasons, technical reasons, not everything using Wi-Fi is vulnerable. Especially newer Android phones are vulnerable to this KRACK thing.
Secondly, it is really easy to patch, so many vendors have already rolled out patches. And thirdly, an attacker needs to be near you to exploit this. Need to be your neighbor or—
Secondly, it is really easy to patch, so many vendors have already rolled out patches. And thirdly, an attacker needs to be near you to exploit this. Need to be your neighbor or—
So proximity is a big factor here.
They need to be capable of basically jumping onto your Wi-Fi. So if they're on the other side of the world, they can't access your Wi-Fi. That's the story, right?
Exactly. And most importantly, and almost without realizing, we have built a very secure internet and most internet traffic is already encrypted.
So every major website — Google, Facebook, your bank, Smashing Security — they all use HTTPS.
So your neighbor can probably see what BBC stories you're reading, but not much else, which means it's probably not that interesting for an attacker to use.
So every major website — Google, Facebook, your bank, Smashing Security — they all use HTTPS.
So your neighbor can probably see what BBC stories you're reading, but not much else, which means it's probably not that interesting for an attacker to use.
Effectively, the way I understand it is that it's not the encryption itself that's been broken, is it? Is that right?
But it's the key exchange part of it, and that's the bit which the hackers are able to snoop upon.
But it's the key exchange part of it, and that's the bit which the hackers are able to snoop upon.
Yes, it is a vulnerability in the protocol, in the standard you need to follow when you write a Wi-Fi client.
So there's some irony here that Microsoft and Apple seems to have not been following the rules very much — that's why they're not vulnerable.
And Android developers have been following the rules because it's built on top of Linux, which has been following the rules, and that's why they are vulnerable.
So there's some irony here that Microsoft and Apple seems to have not been following the rules very much — that's why they're not vulnerable.
And Android developers have been following the rules because it's built on top of Linux, which has been following the rules, and that's why they are vulnerable.
Oh, so this is fantastic. Everyone who implemented WPA2 correctly on their Wi-Fi-enabled device, they're affected, but the people who didn't implement it correctly are okay.
That's a basic summary of it, yes.
I think that's a very good definition of irony.
Yes.
And there's nothing to fix on your actual wireless access point, right? Because we've all got those at home or whatever, you know, beaming Wi-Fi around our homes.
That isn't the thing which gets updated, is that right? It's more the devices that connect to it.
That isn't the thing which gets updated, is that right? It's more the devices that connect to it.
Yes, the technical details of the vulnerability are very detailed.
It may be that there is a way to fix the access point as well, but I think the major vulnerability here is in your device, your phone, most likely.
It may be that there is a way to fix the access point as well, but I think the major vulnerability here is in your device, your phone, most likely.
So what do you suggest people do, people that are nervous about this?
People should just patch their phone whenever an update becomes available.
Yeah.
And that's really it. I mean, it's not great. It means that an advanced neighbor can see whatever BBC websites you're reading.
Not just phone though, you mean laptops as well and all devices, right?
Yes, except that the phones are particularly vulnerable.
But hang on a moment, Martijn. Android phones, you say the very latest version of Android is okay, is that right?
No, no, the very latest version of Android is particularly vulnerable.
Oh, I see, oh, I see, because they finally implemented WPA2 correctly, is that right?
Something like that, yes. Android does take its time doing things correctly, so that wouldn't make sense.
I bet they're kicking themselves now.
So all you have to do if you've got an Android phone is get an update, which historically hasn't always been easy, has it, for every manufacturer of Android devices?
So all you have to do if you've got an Android phone is get an update, which historically hasn't always been easy, has it, for every manufacturer of Android devices?
That's true, although especially the later models are doing a lot better.
Yeah.
I think that even if you are using a phone that for some reason is vulnerable but can't be updated, I don't think you have to worry a great deal.
And that's partly because if you're really worried about these kind of things, you should also probably worry about your internet provider.
Maybe there's someone, some rogue employee there spying on you. There probably isn't, but you know, if you're doing top secret things, you need to keep it in—
And that's partly because if you're really worried about these kind of things, you should also probably worry about your internet provider.
Maybe there's someone, some rogue employee there spying on you. There probably isn't, but you know, if you're doing top secret things, you need to keep it in—
If you're doing top secret things, get an iPhone.
Another thing you could do to mitigate the risk, I suppose, is to run a VPN. Although again, some people I know will respond by saying, oh, but do you trust the VPN provider?
But that would also be a way to encrypt your communications.
But that would also be a way to encrypt your communications.
Yes. If you trust your VPN provider more than you trust anyone who's able to come near you, then yeah, VPN is a solution.
So in a nutshell, you're not suggesting that we run to the hills and panic and pack away the baked beans and, you know, prepare for nuclear winter.
Yep. Turn your Wi-Fi back on.
Yep. In your view, don't panic. Apply the patches when they become available. Obviously go to HTTPS.
Obviously your apps, you hope that they are communicating securely as well, which are running on your phones because they need to be using SSL as well.
Obviously your apps, you hope that they are communicating securely as well, which are running on your phones because they need to be using SSL as well.
And take the opportunity to get rid of apps you don't use anymore. You know, disconnect from them. Don't just delete them, disconnect from them.
But The Independent's original headline for this story may be a little bit of overkill. And if you see similar reports like that, don't panic too much.
Yeah, and I think listeners of your show would probably understand that HTTPS is a separate thing, that even if the Wi-Fi is broken, HTTPS isn't broken.
But average home internet users probably don't, and that's why I don't think these headlines are very helpful.
But average home internet users probably don't, and that's why I don't think these headlines are very helpful.
No, and it also reeks of someone who's not very au fait with technology and security who was given this job to write the story.
No, it reeks of somebody who was told, get an awful lot of eyeballs to come and visit this webpage and get us lots of traffic. The sub-editor changed it up to make it more sexy.
Exactly. Their job is to make a sexy headline regardless of the truth. It's to entice people. I think that's what's going on here. And it had its own logo as well, didn't it?
They'd worked on a logo. That's smashing. I'm always pleased to see that.
Exactly. Their job is to make a sexy headline regardless of the truth. It's to entice people. I think that's what's going on here. And it had its own logo as well, didn't it?
They'd worked on a logo. That's smashing. I'm always pleased to see that.
Yeah, the website has a list of frequently asked questions, and one of them is, is there a higher resolution version of the logo available?
Answer: yes, there is, because they've thought of that.
Answer: yes, there is, because they've thought of that.
I love it. That's fantastic. Carole, we still need a topic from you. What's caught your eye this week?
Well, I chose a topic that hails from the Netherlands for our guest, Martijn. Are you laughing at my Dutch accent?
Yes.
Thanks.
It was okay.
Was it? Sounded a bit like Sean Connery, I thought, for a second there.
So it seems Dutch police have unveiled a few of their projects under the tagline Police of the future.
All right, now don't worry, I'm not going to go down the AI route and robots and face recognition just yet, okay?
But according to an article in The Telegraph, Dutch police chief Erik Ackerboom made a few key promises on behalf of Dutch police, and this included doubling their high-tech crime-fighting resources in the next 4 years, introducing better police monitoring, and of course improved data protection.
But they also presented a few tech-based ideas that I wanted to get your thoughts on.
All right, now one of these is that they're working on an app to help the public assist the cops with crime reporting and investigation. The app is called Ottomon.
Is that how I would say it, Martijn? Ottomon?
All right, now don't worry, I'm not going to go down the AI route and robots and face recognition just yet, okay?
But according to an article in The Telegraph, Dutch police chief Erik Ackerboom made a few key promises on behalf of Dutch police, and this included doubling their high-tech crime-fighting resources in the next 4 years, introducing better police monitoring, and of course improved data protection.
But they also presented a few tech-based ideas that I wanted to get your thoughts on.
All right, now one of these is that they're working on an app to help the public assist the cops with crime reporting and investigation. The app is called Ottomon.
Is that how I would say it, Martijn? Ottomon?
Like a sofa, an ottoman sofa.
I don't even know if it's a Dutch or an English pronunciation. Ottomon. Yes.
Okay, so the app Ottomon is said to be like Pokémon. Right?
So it's a game where the would-be Dutch Inspector Clouseaus out there get points for effectively going up the food chain and helping, you know, giving information to the authorities.
So it's a game where the would-be Dutch Inspector Clouseaus out there get points for effectively going up the food chain and helping, you know, giving information to the authorities.
What has happened to the world?
Okay, can I please— Let me just give an example of how it is before you freak out, okay? Get your soapbox ready, but don't stand on it just yet.
You've got to have an app to report a crime. Great. Okay, now carry on, carry on, go on then.
Okay, so the way they're selling it is, hey, you guys can help us to find lost or stolen cars, right? So I imagine it would work like this. So Graham, you, the Dutch civvy detective.
Yes. Yes.
You get an alert on your phone, you're checking out the app in the morning, and you see that there's a stolen car reported in your neighbourhood.
Stolen car, yes.
And let's say it's a white Volkswagen Beetle named Herbie, right? So you get really excited, you jump out of bed, and you go hunting for this car.
And when you find it, you take a picture of the license plate, its location, send it to the cops, and collect your amazing citizen reward points.
And when you find it, you take a picture of the license plate, its location, send it to the cops, and collect your amazing citizen reward points.
Okay.
I kind of see that this does have some potential, right? There's a lot of police departments out there who are struggling to meet today's crime and policing demands.
I can kind of see the allure of getting volunteers to help monitor the streets for nonviolent crimes.
But this idea of applying game theory rewards taps into our deepest wannabe detective fantasies, doesn't it?
It's kind of like you're getting recognised and you get to play at being a detective.
I can kind of see the allure of getting volunteers to help monitor the streets for nonviolent crimes.
But this idea of applying game theory rewards taps into our deepest wannabe detective fantasies, doesn't it?
It's kind of like you're getting recognised and you get to play at being a detective.
Carole, if this is your detective fantasy, then I'm really worried for your private life.
No, mine's very different.
Mine's very different.
Okay, but however, I have a— there's a few concerns here, right?
Gamifying the reporting of crime is very different from putting out a kind of bulletin saying, hey, can you help us find this car to everyone?
Because you're effectively nudging people into being rewarded to kind of be vigilant. And that's just a few steps away from actually spying on other civilians or your neighbors.
I don't think it's far-fetched to imagine an app like this would have a kind of a button that says, hey, report something suspicious.
And then you're kind of in a kind of, I don't know, monitored state, right? Where we're all watching each other. I mean, isn't that why we have cops in the first place?
We don't have to do that.
Gamifying the reporting of crime is very different from putting out a kind of bulletin saying, hey, can you help us find this car to everyone?
Because you're effectively nudging people into being rewarded to kind of be vigilant. And that's just a few steps away from actually spying on other civilians or your neighbors.
I don't think it's far-fetched to imagine an app like this would have a kind of a button that says, hey, report something suspicious.
And then you're kind of in a kind of, I don't know, monitored state, right? Where we're all watching each other. I mean, isn't that why we have cops in the first place?
We don't have to do that.
So here would be the next step, right?
If they've got an app which they're encouraging you to take photographs of people's number plates in case they've got stolen cars, why not take that a stage further and think, well, rather than just cars, why don't we start looking for criminals themselves?
So here are the pictures of the criminals we're after. If you see them, get a selfie done with them. There you are in Amsterdam.
By the way, the whole idea of pointing cameras around in Amsterdam, sort of things you may be photographing, I'm slightly worried.
I've never dared go to Amsterdam, but I've heard stories.
If they've got an app which they're encouraging you to take photographs of people's number plates in case they've got stolen cars, why not take that a stage further and think, well, rather than just cars, why don't we start looking for criminals themselves?
So here are the pictures of the criminals we're after. If you see them, get a selfie done with them. There you are in Amsterdam.
By the way, the whole idea of pointing cameras around in Amsterdam, sort of things you may be photographing, I'm slightly worried.
I've never dared go to Amsterdam, but I've heard stories.
But Netherlands is a little bit bigger than Amsterdam, just so you know.
Okay, thank you. Thank you.
I have at least one taxi driver conversation a week where I have to explain that I'm not from Amsterdam, that I never lived in Amsterdam, that I actually grew up with a strong dislike for Amsterdam.
Anyway, go on.
Anyway, go on.
I think it's basically the equivalent of our Blackpool. And yeah, anyway, but there you are.
And then you start taking pictures of people and, you know, uploading them to the facial recognition. I don't know.
And then you start taking pictures of people and, you know, uploading them to the facial recognition. I don't know.
I mean, we've been here before and I think we just want to be very careful. There's a lot of tech out there and it's all marketed to be fun and engaging.
So the way in which we would do this in the UK is we would have a number plate recognition camera on top of a bridge over a motorway or something.
Oh, and I'm sure they're going to have that stuff as well, right?
Well, I wonder if they do. Do they have that sort of thing in the Netherlands?
We don't have as much surveillance cameras as the UK because no country has as many surveillance cameras as the UK.
Right. That's what I figured, yeah.
And I wonder whether there are more obvious privacy concerns with the police putting those cameras in rather than, hey, it's just someone walking down the street, taking people's photographs and taking the photographs of cars.
And I wonder whether there are more obvious privacy concerns with the police putting those cameras in rather than, hey, it's just someone walking down the street, taking people's photographs and taking the photographs of cars.
Yeah.
I'm not, I mean, I find it hard to compare the privacy concerns of one country compared to the next.
There are things that in the UK are completely normal that every Dutch person freaks out about, like these cameras.
At the same time, the Dutch have a very detailed government registry system, which means that if you move homes, you go to the municipality once and you get a letter when there's an election and they know you live there and that's all linked.
That's kind of probably crazy from a UK point of view.
There are things that in the UK are completely normal that every Dutch person freaks out about, like these cameras.
At the same time, the Dutch have a very detailed government registry system, which means that if you move homes, you go to the municipality once and you get a letter when there's an election and they know you live there and that's all linked.
That's kind of probably crazy from a UK point of view.
Yeah.
Well, I guess your hope, if they do go ahead with this app, I'm hoping that there are, that users of the app have to be logged in appropriately and effectively traceable, that they do criminal background checks on the people that are actually using the app and getting access to the information, and that you can log activity, I guess.
Well, I guess your hope, if they do go ahead with this app, I'm hoping that there are, that users of the app have to be logged in appropriately and effectively traceable, that they do criminal background checks on the people that are actually using the app and getting access to the information, and that you can log activity, I guess.
Isn't there the potential, right? If I was being a little bit crooked here, right? If I was Mr. Big when it came to stealing cars in the Netherlands, couldn't you pinch a car, right?
And then you could take photographs of other cars or similar cars or doctor, maybe you could doctor the location information, send police on a wild goose chase, or maybe you could doctor the picture itself to say the number plate of the thing which they're looking for.
Doesn't a serious car thief anyway change the number plate? Actually thinking about this.
And then you could take photographs of other cars or similar cars or doctor, maybe you could doctor the location information, send police on a wild goose chase, or maybe you could doctor the picture itself to say the number plate of the thing which they're looking for.
Doesn't a serious car thief anyway change the number plate? Actually thinking about this.
Well, I guess it might help with lower crime.
I guess the idea at the moment is, you know, say some kids steal a car, go joyriding, leave it, you know, dump it in a street, a side corner street, and someone sees it.
They don't need a beat cop to spot it because they've got good old civilians to go, hey. But I suspect that people would do that anyway, right? I don't think you need the app.
I think—
I guess the idea at the moment is, you know, say some kids steal a car, go joyriding, leave it, you know, dump it in a street, a side corner street, and someone sees it.
They don't need a beat cop to spot it because they've got good old civilians to go, hey. But I suspect that people would do that anyway, right? I don't think you need the app.
I think—
Well, I don't know. I don't know if I agree with you on that. I think there's some busybody sort of person who would think, oh, look, there's an unusual car parked in my street.
Most people wouldn't report that, would they? But if they had an app, I mean, I guess this is what the police are banking on.
If they had an app and it was that easy for someone to do.
Most people wouldn't report that, would they? But if they had an app, I mean, I guess this is what the police are banking on.
If they had an app and it was that easy for someone to do.
Yeah.
And you—
Called Twitter.
And you got, no, and you got, you know, 20 points or something by uploading it to the Dutch police, then maybe people will do it more. I don't know if I like it, but—
Yeah, they're gonna do it more and then everyone's gonna, it's gonna be a nanny state. Great. Bring it on. This episode of Smashing Security is supported in part by NetSparker.
NetSparker is a web application security scanner that can automatically find security flaws in your website and fix them before hackers can exploit them.
Try it now by downloading a demo from www.netsparker.com/smashing. On with the show.
NetSparker is a web application security scanner that can automatically find security flaws in your website and fix them before hackers can exploit them.
Try it now by downloading a demo from www.netsparker.com/smashing. On with the show.
Welcome to the part of the show which we like to call Pick of the Week.
Our Pick of the Week.
Pick of the Week.
I love it when we have a regular listener as a guest on the show. He knows what to do. Excellent work, Martijn.
This is the part of the show where everyone chooses something they like. Could be a funny story, a book they've read, TV show, movie, record, an app, a website, a podcast, whatever.
Doesn't have to be security related if you don't want it to.
This is the part of the show where everyone chooses something they like. Could be a funny story, a book they've read, TV show, movie, record, an app, a website, a podcast, whatever.
Doesn't have to be security related if you don't want it to.
Should not be.
It doesn't have to be.
Mine isn't. No one's is, right?
Well, this week it isn't because my pick of the week is a great little game called Blokus. B-L-O-K-U-S.
Is this a board game or an app?
Oh, well, oh, I don't know if it's an app as well. I've always played it as a board game, you know, on the dining room table with the family.
You can play up to 4 people, and you have these little plasticky, transparent sort of pieces on a grid.
They look like Tetris shapes that you can't have your own coloured pieces touching each other. But they do have to be connected diagonally. Does that make sense?
You can play up to 4 people, and you have these little plasticky, transparent sort of pieces on a grid.
They look like Tetris shapes that you can't have your own coloured pieces touching each other. But they do have to be connected diagonally. Does that make sense?
I'm waiting for why I care.
Well, I'm going to explain exactly why you should care. As more and more pieces are put down, so begins the strategy.
Because you are allowed to put your pieces adjacent to the other colored pieces and you're beginning to gain more and more territory.
And it's actually— it's a surprisingly easy game to learn, but quite sophisticated. And you begin to—
Because you are allowed to put your pieces adjacent to the other colored pieces and you're beginning to gain more and more territory.
And it's actually— it's a surprisingly easy game to learn, but quite sophisticated. And you begin to—
So it's basically an amped-up version of tic-tac-toe.
No.
Tic-tac-toe? Noughts and crosses?
Yes.
No.
Of course, of course it's noughts and crosses.
Sorry, have I done such a bad job of describing it? It's nothing like noughts and crosses.
Maybe I tuned out.
Yeah, I think maybe you did.
I just don't think you take Pick of the Week very seriously.
It's great fun. I've just found out that you can play online as well, Carole. Oh, there you go, you're welcome. So I'll include a link to that as well in the show notes.
I'm recommending it. I know a lot of people out there think I have excellent choice when it comes to pick of the weeks.
And so they will be rushing to go and get their copy of Block Us. Thank you very much.
I'm recommending it. I know a lot of people out there think I have excellent choice when it comes to pick of the weeks.
And so they will be rushing to go and get their copy of Block Us. Thank you very much.
It does look right. And I'm doing a Google image search, which gives you a good enough picture already. And it does look kind of cool.
Thank you.
Martijn.
My pick of the week is a little bit of a security story, but a little bit not as well.
It is about something I read about the first cyber attack ever, which took place in the year 1834.
Now, there weren't any computers back in 1834, and in fact, there wasn't even an electric telegraph, but there was something called an optical telegraph.
So in various countries, there were networks of towers with on top of the tower a mechanism with some wooden arms, and a human operator could set these arms in various positions which correspond to letters and digits, and these could be read by the operator on the next tower.
And this way you could send a message over long distances within a very short time, a few minutes to cover Paris to Bordeaux.
It is about something I read about the first cyber attack ever, which took place in the year 1834.
Now, there weren't any computers back in 1834, and in fact, there wasn't even an electric telegraph, but there was something called an optical telegraph.
So in various countries, there were networks of towers with on top of the tower a mechanism with some wooden arms, and a human operator could set these arms in various positions which correspond to letters and digits, and these could be read by the operator on the next tower.
And this way you could send a message over long distances within a very short time, a few minutes to cover Paris to Bordeaux.
This is a big mechanical version of semaphore or something that.
It's exactly that, yes.
Right, okay, that sounds really clever.
So France was one of the countries with such a network, and because of the cost of operating it, it was exclusively used by the government.
Now, two bankers in Bordeaux, which is a city a few hundred miles southwest of Paris, they found a sneaky way to hack the system and have messages about trades in Paris sent to them in a covered way so that they could act upon them faster than the competitors who had to wait for the mail coach, which would take days.
So they did this by exploiting a special backspace character used by the system.
So they had an accomplice in Paris send a letter that somehow in a pre-agreed way encoded some kind of market activity, then add a backspace, and then send the actual message.
And this backspace as well as the secret character would be sent all the way to Bordeaux, but it wouldn't be logged because everyone thought a mistake had been made.
So no one noticed what was sent, but they could see the secret message from a safe distance. This went on for two years.
Now, two bankers in Bordeaux, which is a city a few hundred miles southwest of Paris, they found a sneaky way to hack the system and have messages about trades in Paris sent to them in a covered way so that they could act upon them faster than the competitors who had to wait for the mail coach, which would take days.
So they did this by exploiting a special backspace character used by the system.
So they had an accomplice in Paris send a letter that somehow in a pre-agreed way encoded some kind of market activity, then add a backspace, and then send the actual message.
And this backspace as well as the secret character would be sent all the way to Bordeaux, but it wouldn't be logged because everyone thought a mistake had been made.
So no one noticed what was sent, but they could see the secret message from a safe distance. This went on for two years.
This is the earliest cybercrime ever.
That is fantastic. So we'll put a link in the show notes where people can read up more about that. But that sounds—
That's a good pick of the week, isn't it, Graham?
Well, yes, I recognize a good pick of the week when I see one. Yes, this was a good pick of the week. Well done, Martijn.
Thank you. If you this sort of thing, the guy is Thom Standage and the book is called The Victorian Internet. And it's really cool. It's one of my favorite history books.
Perfect. I think that's a perfect pick of the week.
Well, we've had two good picks of the week so far.
I can't wait to see what Carole's pick of the week is going to be so we can judge it and determine if it's of the same sort of quality.
I can't wait to see what Carole's pick of the week is going to be so we can judge it and determine if it's of the same sort of quality.
Well, Graham, I picked my pick of the week for you. Now, do you remember we used to work together a while ago?
And one day when, during those 15 years of working together, I came down from a meeting and I brought you an amazingly delicious chocolate.
And one day when, during those 15 years of working together, I came down from a meeting and I brought you an amazingly delicious chocolate.
Oh boy.
And you were so touched. I remember you were just "Oh, that's lovely," you said.
At first, I thought it was a very kind thing to do.
And you popped it in your mouth. Yes. And?
I thought, "That's so kind. She's walked all this way with this lovely chocolate." And I convinced you I'd already had one and that I loved it. Yes.
And it was delicious. She said, "Oh, it's lovely. Try this, Graham." I thought, "This is so generous of you." And I put it in my mouth and I munched away and I went, "Oh my God!
Oh, this is the most disgusting!" Tasting.
Oh, this is the most disgusting!" Tasting.
Oh, whoa, whoa.
Now what I'd given him was a durian chocolate. And so my pick of the week is an article on Mashable, which is a video of 100 people attempting to eat durian.
I don't know if I want to watch this. This is basically people being tortured. Do they realize what they're going to do? Well, this is terrible. This is that Human Centipede movie.
This is just a terrible, terrible thing which should never be allowed. Okay, I'm playing it right now. They're tucking in.
This is just a terrible, terrible thing which should never be allowed. Okay, I'm playing it right now. They're tucking in.
Oh.
Oh yes, she is swearing already.
It smells basically. A lot of people say rotting trash, rotting fish.
Oh.
You remember. I never actually tried it.
What? You never— and you made me eat it?
No, I knew about it. You see, I do a lot of food reading, so I—
Basically, this is a video of people who look they're about to be physically sick. Well, that's nice.
That's my pick of the week.
So you've sent us a vomitarian video, basically.
Enjoy, folks. Enjoy. And you are welcome, because I think you'll have a bit more fun at my pick of the week. Let's be honest.
I'm not so sure. I don't know why we're talking this, but I'm not so sure about that, Carole.
Well, if you want to give us a bit of love, you can follow us on Twitter @SmashingSecurity without a G. Twitter doesn't allow stuff with a G.
Or you can join our Facebook group at smashingsecurity.com/facebook. That'll take you straight there. And we have swag if you want to buy a t-shirt at smashingsecurity.com/store.
And that just about wraps it up. Martijn, if people want to follow you online, what's the best way to do that?
Well, if you want to give us a bit of love, you can follow us on Twitter @SmashingSecurity without a G. Twitter doesn't allow stuff with a G.
Or you can join our Facebook group at smashingsecurity.com/facebook. That'll take you straight there. And we have swag if you want to buy a t-shirt at smashingsecurity.com/store.
And that just about wraps it up. Martijn, if people want to follow you online, what's the best way to do that?
Just go to @martijn_grooten on Twitter.
Cut and paste it from the show notes, people.
M-A-R-T-I-J-N_G-R-O-O-T-E-N.
So thanks for tuning in, everybody. If you know someone else who might the Smashing Security podcast. Go on, tell them about it.
Yeah, pass this on.
Yeah, why not? Until next time, cheerio. Bye-bye.
Bye.
Was that all right?
Your pick of the week sucked, man. Let's be honest.
No, really, it doesn't.
Okay, okay. You know what? I will reserve judgment. As I said, I'll go check it out. I'll go check it out.
Of course, for the millions of us using (non-new Pixel) Android phones, the carriers will NEVER update this massive breach, nor with the political arm of Comcast (the former FCC) will do jack squat to lean on these a-holes. They will all parrot the same advice: BUY NEW HARDWARE, CA-CHING. There Ain't No Justice.
…within range of your Wi-Fi network…., and the range is?
Reason I ask is that I live in a flat , 7 metres above ground level.
The Range depends on the sensitivity of the antenna on the attacker's device, but it's at least 300 feet (length of a football field), commonly as far as 600 feet and with the right antenna likely to be much further than that. 7 metres = 22 feet, which is well within the range limit of Bluetooth, let alone WiFi.
Thanks although wondering how prominent the antenna are?
Could it be used within a car or would the antenna have to be used in an open area such as a field?