The country of Papua New Guinea is reportedly planning a month-long national ban of Facebook.
Why? To research the effect that the addictive social network has on the South Pacific island’s populace, and to root out “fake users”:
Communications Minister Sam Basil said that the shutdown would enable the department and National Research Institute to conduct further research on how the social network was being used by users.
“The time will allow information to be collected to identify users that hide behind fake accounts, users that upload pornographic images, users that post false and misleading information on Facebook to be filtered and removed.”
“This will allow genuine people with real identities to use the social network responsibly,” Mr Basil said.
The Minister said that the department could better analyse the positive impact it would have on the population during the month-long shutdown and weigh the impact of progress without or with its use.
There certainly could be some positive impact in terms of productivity if residents of Papua New Guinea can’t get their Facebook fix, but it would clearly be bad news for companies which use Facebook to provide customer support or raise awareness about their products.
But the report about Papua New Guinea’s Facebook ban is frustratingly devoid of detail. When is this ban planned to begin? How will the ban be implemented? Couldn’t simple use of a VPN trick whatever is intending to block Facebook into thinking the user is going somewhere else entirely? Or will VPNs be blocked too?
Furthermore, how will the Papua New Guinea government measure the impact of the experiment? A month doesn’t sound like a very long time to measure the long term impact that deleting Facebook would have on islanders.
And what’s all this about “identifying users who upload pornographic images… and post false and misleading information”? How would a Facebook ban help with that? If Papua New Guinea is worried about “fake news” surely there are ways to measure and research that without issuing an outright ban on Facebook?
It’s all rather baffling. At least, until you see what else Sam Basil has to say:
“We can also look at the possibility of creating a new social network site for PNG citizens to use with genuine profiles as well.”
“If there need be then we can gather our local applications developers to create a site that is more conducive for Papua New Guineans to communicate within the country and abroad as well.”
And there you have it. It’s very easy to read into this that the-powers-that-be in Papua New Guinea are not very keen on Facebook, and in particular profiles that may be posting “false and misleading information”.
It would be easy to conclude that if the government’s month-long experiment concludes “irresponsible” Facebook use is having a negative impact on islanders’ social well-being, security and productivity, that it may use it as a springboard for creating its own version of Facebook.
A government’s own version of Facebook, with confirmed identities, where you would always know who said what and (presumably) who might be saying something that is critical of thoe in authority…
I’m no fan of Facebook, and I think everyone taking a break from Facebook is a healthy thing, but I’m not sure I like where a government-backed Facebook clone is heading.
Let’s hope instead that Papua New Guinea is as concerned as the rest of us should be about how Facebook users can find their personal information exploited and opinions unduly influenced by malicious actors.
Papua New Guinea currently has low internet and Facebook penetration compared to much of the rest of the world, so if it does wish to take action against the darker side of social media then now is possibly a good time to do it.
Just don’t build something worse to replace it.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Right?
Let me just do a charity single. We are the world, we are the people, we wanna hear Carole back on the show, let's have her back again. Graham, sorry what he said to Mrs.
Cluley in bed about his annoying Canadian co-host the other day. Smashing Security, Episode 80.
Country Bands Facebook, Eavesdropping Alexa, and Pornhub VPN with Carole Theriault and Graham Cluley. Hello, hello, and welcome to another episode of Smashing Security, episode 80.
My name is Graham Cluley.
Cluley in bed about his annoying Canadian co-host the other day. Smashing Security, Episode 80.
Country Bands Facebook, Eavesdropping Alexa, and Pornhub VPN with Carole Theriault and Graham Cluley. Hello, hello, and welcome to another episode of Smashing Security, episode 80.
My name is Graham Cluley.
I'm Carole Theriault.
Hi, Carole.
Hi, Graham.
And we are joined this week by a special guest. He's new to the show. It's Tommi Uhlemann from ESET. Hello, Tommi Uhlemann.
Guten Tag. Hallo.
What are you barfing on his name for?
What if that's how you say it, Carole?
Uhlemann. How do you say it, Tommi?
Guys, we've been practicing for 30 minutes. It's Uhlemann.
Uhlemann.
Uhlemann. That's quite nice, yeah.
And Tommi, you work for ESET, of course, a world-famous security company. You're based out in Germany, aren't you? What sort of things do you get up to out there?
Well, basically any new things come up, I have to talk about it. Sometimes I even know things about it.
And so writing articles, security presentations, pretty much the things you do, but in a much smaller scope, I think.
And so writing articles, security presentations, pretty much the things you do, but in a much smaller scope, I think.
Now I haven't already quizzed you about this, but I'm going to make a shot in the dark here.
I'm guessing you might, in recent weeks or maybe even months, spoken about something called GDPR. Is that something that German people care about at all?
I'm guessing you might, in recent weeks or maybe even months, spoken about something called GDPR. Is that something that German people care about at all?
Yes. Do they really care about it though? Or are they sick to the back teeth about it like we are?
Well, data protection was invented in Germany, wasn't it?
Right.
OK, Tommi, if you were standing outside a Lidl, a German supermarket, and people were walking in and you would say, GDPR, do you know what it is? Was ist das?
Right?
What would most of them know, or would most of them not know, do you think?
Most of them wouldn't know because we've got another acronym for it.
Well, the truth is Germans don't actually have four words for anything, do they? They stick all four words together. You'd have some word which is 67 letters long.
Is that where supercalifragilisticexpialidocious?
Hold on. GDPR is exactly one word in German.
Of course.
It's short. DSGVO, and it's short for Datenschutzgrundverordnung. Nice, isn't it?
This week's episode of Smashing Security is sponsored by VirusTotal. Now, you probably know VirusTotal as a malware research tool.
Over 1 million files are uploaded every day by folks analyzing malware and attempting to determine what different antivirus products call a sample.
But you can do much more than that with VirusTotal Intelligence, which helps you get more context about your alerts through advanced malware threat hunting, relationship and behavioral visualization, as well as historical analysis on billions of malware samples.
To learn more about how VirusTotal Intelligence can help you, visit virustotal.com/learn or email the team at .
And be sure to say you heard about them on the Smashing Security podcast. And welcome back.
Well, as normal, we've been looking back over the computer security stories of the last week, and my story involves the letters PNG.
Now, Tommi, Carole, could it be Portable Network Graphics? PNG, what could it stand for? Persona non grata, maybe? Pencil-necked geek?
Over 1 million files are uploaded every day by folks analyzing malware and attempting to determine what different antivirus products call a sample.
But you can do much more than that with VirusTotal Intelligence, which helps you get more context about your alerts through advanced malware threat hunting, relationship and behavioral visualization, as well as historical analysis on billions of malware samples.
To learn more about how VirusTotal Intelligence can help you, visit virustotal.com/learn or email the team at .
And be sure to say you heard about them on the Smashing Security podcast. And welcome back.
Well, as normal, we've been looking back over the computer security stories of the last week, and my story involves the letters PNG.
Now, Tommi, Carole, could it be Portable Network Graphics? PNG, what could it stand for? Persona non grata, maybe? Pencil-necked geek?
Oh, you Googled this, did you? Just to look impressive? Of course you did.
It is in fact Papua New Guinea. Have any of us been to Papua New Guinea?
I don't think I've ever said it that way. Is it Papa New Guinea? Papua?
What, you say Papa New Guinea?
I do. I think I always have.
Papa New Guinea. Well, maybe you're right. Maybe it's actually Papa New Guinea. Who knows? Silent U. I don't know.
Okay, well, no offense to anyone, but please inform us.
Okay, I'm going to just have to say PNG from now on. Well, PNG, I'll give you some fascinating facts about PNG other than the fact that I don't know how to say it.
They have 3 official languages: English, Hiri Motu and Tok Pisin. Oh, please, please. This isn't the kind of podcast where we make fun of foreign words, right?
They have 3 official languages: English, Hiri Motu and Tok Pisin. Oh, please, please. This isn't the kind of podcast where we make fun of foreign words, right?
Well, but I can say I'm fluent in the latter one.
You're fluent. Talking of which, the average rainfall is 80 to 160 inches per year, and as of last year, there were 7 points—
That's not fascinating.
Is that not fascinating?
Well, not to me. Is it to you?
54th largest country in the world.
Any Scottish listener would say, bah.
Well, I'll tell you what actually makes Papua, or maybe Papua— oh, for goodness' sake, I don't know.
PNG.
PNG. I'll tell you what makes them more fascinating for me right now is they say they are going to ban Facebook for a month. Hurrah!
Are you kidding? Okay, wait, rewind.
Election's coming up.
The entire country is going to ban Facebook?
Well, according to press reports from PNG, Papua New Guinea. Their government is saying that they are going to do this as a month-long experiment nationwide.
They don't say exactly when they're going to do this, but their intention is to find out and research the impact that Facebook is having on their population and to root out fake users.
They don't say exactly when they're going to do this, but their intention is to find out and research the impact that Facebook is having on their population and to root out fake users.
Ooh.
So it's no punishment, but a test.
Well, I don't know if it would be a punishment. It might be a treat. Good news, everybody! You don't have to worry about Facebook anymore.
I mean, it's good news maybe for people who might be addicted to it, because maybe this is the push that they need to separate them from their addiction.
It's maybe bad news for any company or organization which may use Facebook for a positive purpose.
But Communications Minister Sam Basil said that the shutdown would enable his department to conduct research into the social network.
And what they want to do is find out who hides behind fake accounts, who are the users that upload pornographic images, who's posting false and misleading information.
Now, I don't understand why you have to close down Facebook or prevent people from accessing it to work out who might be behind a fake account.
I don't see how that actually helps the government.
I mean, it's good news maybe for people who might be addicted to it, because maybe this is the push that they need to separate them from their addiction.
It's maybe bad news for any company or organization which may use Facebook for a positive purpose.
But Communications Minister Sam Basil said that the shutdown would enable his department to conduct research into the social network.
And what they want to do is find out who hides behind fake accounts, who are the users that upload pornographic images, who's posting false and misleading information.
Now, I don't understand why you have to close down Facebook or prevent people from accessing it to work out who might be behind a fake account.
I don't see how that actually helps the government.
That's interesting. And also, there's two messages here. One is we want to see what social networking does to a population as almost a scientific experiment.
But then there's this other kind of we want to weed out— they're not trying to block user accounts. We want to know who is behind these accounts.
So it looks a bit like a witch hunt.
But then there's this other kind of we want to weed out— they're not trying to block user accounts. We want to know who is behind these accounts.
So it looks a bit like a witch hunt.
Well, it's unclear how the ban is actually going to work. Are they going to do this with local ISPs blocking access to Facebook?
And if so, how's that going to prevent people with VPNs from accessing Facebook because they'll be able to pretend that they're going somewhere else entirely.
So unclear how that's going to work. Are they going to block VPNs as well?
And if so, how's that going to prevent people with VPNs from accessing Facebook because they'll be able to pretend that they're going somewhere else entirely.
So unclear how that's going to work. Are they going to block VPNs as well?
Yeah, this would cause a riot, I think, in the UK if Theresa May came out and said, "Guess what, dudes, we're blocking Facebook." So how are they being able to pull this off with their population?
Well, you say that it would cause a riot in the UK. The truth is that this is an apathetic population who are on Facebook. What are they going to do?
They're just going to switch over to Instagram and post up a non-smiley selfie or something. They're hardly going to storm the streets, are they, with placards?
They're just going to switch over to Instagram and post up a non-smiley selfie or something. They're hardly going to storm the streets, are they, with placards?
I don't know. If they spend 2 hours plus on Facebook a day, they've got a lot of time on their hands. Carry on, sorry.
I want to know how PNG, or Papua New Guinea perhaps, how they're going to measure the impact of this. A month doesn't sound a very long time to me anyway.
Maybe they're planning never to turn it back on because they're going to find so much corruption in it.
Interesting, isn't it?
They're going to protect their population.
So what interests me is this — I find it all a bit baffling. So I read a little bit more about this communications minister was saying.
Sam Basil has said we're going to look into this, what the impact is and how PNG citizens could use Facebook with genuine profiles.
And he says if need be, maybe we need to get some of our local population and developers, or 7.8 million people who live there, to create their own version of Facebook which is more conducive to us and the people who live on our island.
So what he's actually saying is maybe we should have our own Facebook and not use that one.
Sam Basil has said we're going to look into this, what the impact is and how PNG citizens could use Facebook with genuine profiles.
And he says if need be, maybe we need to get some of our local population and developers, or 7.8 million people who live there, to create their own version of Facebook which is more conducive to us and the people who live on our island.
So what he's actually saying is maybe we should have our own Facebook and not use that one.
He's not saying that. He's saying let's have a closed network just for PNG people, right?
But built by them with real—
Built by them. And because no one else will be able to connect, I wouldn't be able to connect into it. I wouldn't be welcome to have an account, I guess.
I doubt there's much incentive, to be honest. But the fact is that you would need a real confirmed identity to do so.
And that's what makes me a little bit suspicious about this, because they're worried about people posting false and misleading information.
It's hang on, the government are worried about what people are posting and how it could be false and misleading, and then they're beginning to say, well, maybe we need our own Facebook with confirmed identities.
That presumably is going to make it harder for someone who has something to say which is critical of those in authority in PNG to post those messages on a new network.
And that's what makes me a little bit suspicious about this, because they're worried about people posting false and misleading information.
It's hang on, the government are worried about what people are posting and how it could be false and misleading, and then they're beginning to say, well, maybe we need our own Facebook with confirmed identities.
That presumably is going to make it harder for someone who has something to say which is critical of those in authority in PNG to post those messages on a new network.
Even worse, organized criticism, right?
Because, okay, but Graham, Graham, Graham, you're basically saying do you want to trust a private corporation with your most personal data, or do you want to trust the government who already has all your real personal information, your tax records, etc., etc.?
I am the last person in the world who would really sort of say, "Oh well, I'm going to put all my trust in Mark Zuckerberg wearing his hoodie, downloading ringtones onto his mobile." It's just vile that I would put any trust—
He has a really beautiful dog.
Oh, whatever. Just don't go on social networks, folks. I think if they can do this experiment for a month, maybe they should do it for 6 months.
Unplug your phone now, throw it into the sea.
It's not that far if you live there.
Goodbye all, goodbye.
Tommi, what have you got for us this week?
Something for maybe the people of P&G, because it's a VPN solution. And also it fits the upcoming holiday seasons.
I think, because we always advise people not to log into public Wi-Fi.
I think, because we always advise people not to log into public Wi-Fi.
Yeah, it can be a bad idea to log into public Wi-Fi. We often say try to avoid that.
A couple of years back, I was guessing that VPNs would grow mushrooms. A VPN here, a VPN there. So it's no surprise that there is a new VPN provider.
The surprise is actually the ones who are providing the VPN service.
The surprise is actually the ones who are providing the VPN service.
Okay.
Is it a trustworthy, respectable organization?
I'd say for their users, probably so, because they got a large user base, the ones creating the VPN service.
Okay.
And maybe we can have a little drum roll here.
That was a drum roll, wasn't it? There wasn't anything else going on.
It sounded a little poop.
I heard some throbbing coming from Germany. But anyway, okay.
No, the app is called VPN Hub. And actually, yes, you might guess right. It's Pornhub providing the VPN service.
Oh, with all the encryption, everything you dreamed of, with apps for iOS, for Android.
Oh, with all the encryption, everything you dreamed of, with apps for iOS, for Android.
Just one moment, Tommi. Did you say that this is a VPN being launched by Pornhub? So Pornhub is a website about... Oh, I've never even heard of it.
Adult entertainment services, maybe?
Okay, so this is a porno website which has launched its own VPN, which will be able to protect its users, as it were, shield them as they go online.
So if they're in a cyber cafe, yes, they will be able to connect to this site and people won't know where they're going, other than looking over their shoulder, obviously.
So if they're in a cyber cafe, yes, they will be able to connect to this site and people won't know where they're going, other than looking over their shoulder, obviously.
Hey, sorry, this is Pornhub. Pornhub, the company that had some kind of malvertising attack about a year ago and lost loads of data and basically put their users at huge risk.
I'm just looking at an article right now that says could have given masturbators some sleepless nights.
I'm just looking at an article right now that says could have given masturbators some sleepless nights.
I don't know if we should focus on that, but I was trying to close that circle in another way, referencing back to the Mirai attacks back in October 2016.
They run this decentralized DNS service or utilizing these instead of relying on just one service. And on several other occasions, their IT infrastructure has been praised.
So besides the fact, surprising fact, that a porn website service may launch a VPN service, actually they have proven to me that they might have infrastructure which is reliable.
They run this decentralized DNS service or utilizing these instead of relying on just one service. And on several other occasions, their IT infrastructure has been praised.
So besides the fact, surprising fact, that a porn website service may launch a VPN service, actually they have proven to me that they might have infrastructure which is reliable.
Well, it's often been the way, hasn't it, that the X-rated websites are the ones which have really pushed internet technology to the limit. And—
Well, I mean, it kind of had to, right? Because their users would be, if anyone finds out how much time I spend on this porn site—
But in terms of— I'm thinking in terms of things streaming video, and now we've got sort of what do they call these things where you see everything in 3D, you know, the augmented reality?
And it's the adult entertainment business which is really pushing this technology.
So I'm not surprised necessarily that their site stayed up, as it were, during the Mirai attack when others went down.
But it's also— so presumably with this VPN, you won't use it simply to go to Pornhub, will you?
You could use it to go to BBC News or, you know, iPlayer or any website on the internet, right?
And it's the adult entertainment business which is really pushing this technology.
So I'm not surprised necessarily that their site stayed up, as it were, during the Mirai attack when others went down.
But it's also— so presumably with this VPN, you won't use it simply to go to Pornhub, will you?
You could use it to go to BBC News or, you know, iPlayer or any website on the internet, right?
Yes, it's not about only naked people. It's about, you know, finding content that you're blocked accessing.
So now you will be able to have on your credit card statement a monthly payment to Pornhub in some form or other, and I don't know what holding company—
Not necessarily. No, you can use that service completely for free and unlimited. So it's free unlimited bandwidth, and as long as you use a mobile device.
Once you want to install it on your Mac, for instance, or your Windows, you need the premium version. That requires a subscription fee, but you also get 24/7 support.
But nonetheless, I mean, the graphics itself, they aren't differing from other VPN services. So there's no connection to Pornhub actually in the GUI.
I don't know about the bill you get because honestly I didn't use the service yet.
Once you want to install it on your Mac, for instance, or your Windows, you need the premium version. That requires a subscription fee, but you also get 24/7 support.
But nonetheless, I mean, the graphics itself, they aren't differing from other VPN services. So there's no connection to Pornhub actually in the GUI.
I don't know about the bill you get because honestly I didn't use the service yet.
Yeah, it might be a way for Pornhub to legitimize its name on such things as credit card statements, right? You go, no, no, no, no, no, that's just my VPN, darling.
No, but in—
Well, $59.99 a night.
Will the app running on your phone— you said there's a free app for your smartphone if you want the free VPN.
Will that monetize itself in some fashion, maybe with some advertising, some targeted content?
Will that monetize itself in some fashion, maybe with some advertising, some targeted content?
Well, targeted content, I don't know, but it is advertising-based.
Yes. How curious. What a strange world we live in.
I wonder how also this will fit in with some things which are beginning to be introduced in the UK, where they're really looking for an identity scheme to confirm that people are adults before they access pornographic websites.
And this may be part of Pornhub's move attempting to deal with these sort of systems being corporate in different countries, because this would be a way, of course, for them to have your details and say, yes, you've created an account, you've given us your credit card details, you confirmed that you're over 18, for instance.
I wonder how also this will fit in with some things which are beginning to be introduced in the UK, where they're really looking for an identity scheme to confirm that people are adults before they access pornographic websites.
And this may be part of Pornhub's move attempting to deal with these sort of systems being corporate in different countries, because this would be a way, of course, for them to have your details and say, yes, you've created an account, you've given us your credit card details, you confirmed that you're over 18, for instance.
Or you've very successfully duped me into thinking that you're your mom.
Yeah, you've stolen your mom's credit card. Exactly.
I would just remind everybody, before you jump and think, hey, this is a great idea, check the terms and conditions, especially for the free app used on the phone, to see what, if any, exchange is going on in terms of data.
Well, and also, I mean, my feeling is that if you're going to use a VPN, use one which is tried and trusted, maybe comes from a security background.
I tend to feel much more comfortable if I'm giving them money because then they have a vested interest in not trying to monetize my data in some fashion.
I tend to feel much more comfortable if I'm giving them money because then they have a vested interest in not trying to monetize my data in some fashion.
Do you think more expensive is better? Not necessarily, because VPN providers out there, I think you could do a special pricing for Graham offering—
Not necessarily— that is not the only criteria by any means.
The Black Diamond VPN at $1,000 a day.
Can you imagine giving Pornhub $1,000 a day?
That's—
Carole, what have you got for us today?
Okay, one sec. Let me just dust off my privacy drum because I plan to be banging it a lot today.
I think that's the Pornhub story.
Now, I think we could all agree that each of us have a right to have private conversations.
I'm talking about conversations that are definitely not meant to be overheard, let alone shared.
Maybe you and your main squeeze are fighting about money, or you're gossiping about a neighbor or colleague, or you're chatting to your kid about a problem at school, or maybe you're just about to get your freak on, if you know what I mean.
I'm talking about conversations that are definitely not meant to be overheard, let alone shared.
Maybe you and your main squeeze are fighting about money, or you're gossiping about a neighbor or colleague, or you're chatting to your kid about a problem at school, or maybe you're just about to get your freak on, if you know what I mean.
So no, no, I don't.
I'm sorry. I'm so sorry, Graham. But whatever it is, there are certain situations where you should have the right to assume privacy, right?
If you were somewhere public, you'd probably look around first to spot your wiggers. But shouldn't you be able to assume privacy in your own home or in your bedroom?
So check this out. An Oregon-based woman named Danielle recently got a serious privacy wake-up call. She and her husband were chatting away in their bedroom.
If you were somewhere public, you'd probably look around first to spot your wiggers. But shouldn't you be able to assume privacy in your own home or in your bedroom?
So check this out. An Oregon-based woman named Danielle recently got a serious privacy wake-up call. She and her husband were chatting away in their bedroom.
What could go wrong?
And her Echo virtual assistant, Alexa, mistakenly interpreted a noise as a command to hit record. Right?
Well, are you going to keep on saying the word Alexa, by the way? Because you know what happens when you mention Alexa on a podcast.
Graham, we already know we're going to have to censor each mention of Alexa.
So anyway, Carole. So Alexa heard a noise.
Alexa makes another mistake. It interprets snippets of the couple's bedroom chatter as a command to send the recording to Dave in Seattle. Who is Dave, you ask? Who is Dave?
Who is Dave?
Well, Dave just happens to be one of the husband's employees, right?
So Dave does the right thing and tells Danielle's husband that he received this weird audio recording from them out of the bedroom. Danielle's husband is like, no way.
And Dave is like, yes way, you guys were talking about hardwood floors. And husband goes, oh yeah.
All the while probably thinking, "Fuck, fuck, fuck, at any point did I call Dave a douche?" Right?
So Dave does the right thing and tells Danielle's husband that he received this weird audio recording from them out of the bedroom. Danielle's husband is like, no way.
And Dave is like, yes way, you guys were talking about hardwood floors. And husband goes, oh yeah.
All the while probably thinking, "Fuck, fuck, fuck, at any point did I call Dave a douche?" Right?
Or were we arguing about our Pornhub bill this week? Right. I'm trying to just, "It's a VPN, darling."
It's a VPN." Amazon talked about this snafu in a recent statement, and it says, "Echo woke up due to a word in the background conversation sounding like Alexa." Now, I can think of a lot of words that sound like Alexa.
No, like what? Did you?
No, like what? Did you?
Perplexer.
Perplexer.
It's a perplexer.
There are a lot of improper German words that would, but never mind.
Okay, so then Amazon carries on, says, then the subsequent conversation was heard as send message request, at which point Alexa said out loud, to whom?
Now, this is a big point of contention because Danielle said the device was at 7 out of 10 in terms of volume and she was right next to it and she didn't hear it say anything.
Anyway, there was a heck of a lot of coinkydink mistakes here that happened one after another. And I have yet to see one sorry for Amazon.
And why is it the big guys never own up and mea culpa when they fuck up? I mean, who else is liable here?
Now, this is a big point of contention because Danielle said the device was at 7 out of 10 in terms of volume and she was right next to it and she didn't hear it say anything.
Anyway, there was a heck of a lot of coinkydink mistakes here that happened one after another. And I have yet to see one sorry for Amazon.
And why is it the big guys never own up and mea culpa when they fuck up? I mean, who else is liable here?
Because they're terrified. Their lawyers are terrified. Never apologize for anything.
Exactly.
It could cost us millions. You know what America's like. As soon as anything happens at all—
I'm not talking about America. I'm sure big English companies would, I know, and big companies from all over the world would be exactly the same. But it grosses me out.
I mean, just think about it, Graham. You're in bed with Mrs.
Cluley bitching about your really annoying Canadian co-host, not for the first time, only for the recording to be sent directly to me.
And the message might be so awful that I decide never to do a podcast with you again. And think of the suffering that would cause the world.
I mean, just think about it, Graham. You're in bed with Mrs.
Cluley bitching about your really annoying Canadian co-host, not for the first time, only for the recording to be sent directly to me.
And the message might be so awful that I decide never to do a podcast with you again. And think of the suffering that would cause the world.
Oh yeah, dearly, right?
That needs to do a charity single. We are the world, we are the people, we wanna hear Carole back on the show. Let's have him back again. Graham's sorry what he said to Mrs.
Cluley in bed about his annoying Canadian co-host the other day.
Cluley in bed about his annoying Canadian co-host the other day.
You should replace annoying in your apology then.
Yeah.
Apparently, I read this last week, 90% of homes now have a smart device in them. I'm guessing they mean the US, right? And many of those devices are going to have mics.
And we have mics on our phones, our tablets, our computers, our televisions, our home assistants, our cars.
And you, Graham, you keep accidentally FaceTime videoing me from your bathroom, for God's sake. Video!
And we have mics on our phones, our tablets, our computers, our televisions, our home assistants, our cars.
And you, Graham, you keep accidentally FaceTime videoing me from your bathroom, for God's sake. Video!
Accidentally!
Yes, exactly. Accidentally.
Look, I'm sorry, but it has started doing it again, hasn't it? Just recently, yes. That is true.
You called me at 2 in the morning 3 times.
Now, if people want to hear more about this, we do cover it in episode 44 of Smashing Security.
Well, how do you remember that?
I just Googled it. So as you mentioned it, because there's a full explanation, although we tried to— we haven't really got to the bottom of that. It is still happening, isn't it?
Only when I get in the shower for some reason.
Only when I get in the shower for some reason.
But water sounds like raindrops. Shh, Carole. Okay, while I don't have a virtual assistant in my house, I have plenty of microphones.
So number one, I suggest don't buy a device where you can't mute the microphone on it, right? So just check that that's something that you can actually toggle on or off.
Apparently on these Alexa devices, don't grant access to your contacts and don't enable calling and messaging.
Apparently if you do and now you wish to disable this, you need to call Amazon on the phone. If we're talking about Echos, this is according to John Gruber.
So number one, I suggest don't buy a device where you can't mute the microphone on it, right? So just check that that's something that you can actually toggle on or off.
Apparently on these Alexa devices, don't grant access to your contacts and don't enable calling and messaging.
Apparently if you do and now you wish to disable this, you need to call Amazon on the phone. If we're talking about Echos, this is according to John Gruber.
That's convenient, isn't it?
Yeah, it's quite gross. And consider deleting all info recorded on Alexa.
You can go to the smashingsecurity.com show notes for this episode, and I've got a link to a Verge article on how you can do that.
And maybe it's worth not having a listening device in rooms where you want to have a private conversation.
I don't know, I'm really seriously thinking about designating a room in my house as almost a safe room, one where smart devices are banned. I'm serious.
You can go to the smashingsecurity.com show notes for this episode, and I've got a link to a Verge article on how you can do that.
And maybe it's worth not having a listening device in rooms where you want to have a private conversation.
I don't know, I'm really seriously thinking about designating a room in my house as almost a safe room, one where smart devices are banned. I'm serious.
Well, I would like to see these manufacturers come up with a device or an option whereby if you want to say something to the device, you have to press a button at the same time, or you have a little remote or something, you know, which you could have in your pocket if you wanted, and you press it while you're talking, and that actually says, okay, you know, you physically told me that you want me to listen at this point, rather than constantly be listening and making mistakes like this one has.
Yeah. And for all of you guys with your devices, why don't you check your settings on your phone?
So on my iPhone, for example, you would go to privacy and select microphone and review which apps need to have the microphone turned on and turn off everything you don't trust or don't use regularly.
So on my iPhone, for example, you would go to privacy and select microphone and review which apps need to have the microphone turned on and turn off everything you don't trust or don't use regularly.
Oh, okay.
That's always good advice to regularly check the permissions you gave your apps.
Absolutely.
It's a bit like how many apps, for instance, will request your location. And you may not realize.
And then when you go and have a look, you're like, crap, you know, why does that need my location? You can decide to deny it in future.
And then when you go and have a look, you're like, crap, you know, why does that need my location? You can decide to deny it in future.
Yep. There's loads of links on the show notes if you want to look more into this. But I can tell you all these stories.
I know there's not a ton of these, but I'm not moved yet from my stand of not having one of these in my house yet.
I know there's not a ton of these, but I'm not moved yet from my stand of not having one of these in my house yet.
You don't like them, eh? No. Well, Carole, I'll tell you something you do like.
Tell me.
It's pick of the week time.
Graham Cluley.
Yay! And thanks once again to VirusTotal for sponsoring this episode of Smashing Security.
Over a million files are uploaded to VirusTotal every day for analysis and to determine what different antivirus products call them.
But you can do much more than that with VirusTotal Intelligence.
VirusTotal Intelligence helps you get more context about alerts through advanced malware threat hunting, behavioral visualization detection, as well as historical analysis of samples.
Learn more by visiting virustotal.com/learn, and be sure to let VirusTotal know that you heard about them from the Smashing Security podcast.
And welcome back, and you join us at our favorite part of the show, the part of the show that we call Pick of the Week.
Over a million files are uploaded to VirusTotal every day for analysis and to determine what different antivirus products call them.
But you can do much more than that with VirusTotal Intelligence.
VirusTotal Intelligence helps you get more context about alerts through advanced malware threat hunting, behavioral visualization detection, as well as historical analysis of samples.
Learn more by visiting virustotal.com/learn, and be sure to let VirusTotal know that you heard about them from the Smashing Security podcast.
And welcome back, and you join us at our favorite part of the show, the part of the show that we call Pick of the Week.
Pick of the Week.
Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, book that they've read, a TV show, a movie, a record, an app, a website, a podcast, whatever they like.
Doesn't have to be security-related necessarily, and it could be. And you know what, mine this week is a little bit security-related.
Could be a funny story, book that they've read, a TV show, a movie, a record, an app, a website, a podcast, whatever they like.
Doesn't have to be security-related necessarily, and it could be. And you know what, mine this week is a little bit security-related.
Mine's a bit security-related.
Oh, I wonder what Tommi will come up with. We shall see. But I am going to point you to a website called TryPass pap.com. P-A-P.
Okay, you're not Rickrolling me, right?
No, no Rickroll. And PAP is the Passive Aggressive Password Machine.
And you're all familiar with those little widgets when you select a password on a website which gives you some indication.
It says, oh, this is a rubbish password, this is a weak password, this is an okay password, this is average, or that's really fantastic.
Well, the Passive Aggressive Password Machine basically takes the mickey out of the quality of your password in fine style.
Now, I would not recommend entering your real password there. You should never enter—
And you're all familiar with those little widgets when you select a password on a website which gives you some indication.
It says, oh, this is a rubbish password, this is a weak password, this is an okay password, this is average, or that's really fantastic.
Well, the Passive Aggressive Password Machine basically takes the mickey out of the quality of your password in fine style.
Now, I would not recommend entering your real password there. You should never enter—
Oops!
Too late!
Oh no, darn it! I gave it my master password to my password save.
So don't do that.
Tell me, tell me, so I can check if I got the same result.
So for instance, if I enter— oh, I'm going to enter one right now. It says, my God, have mercy on your email account. For the quality of the password which I just entered.
Another one says, "You're joking, right?" So you get hundreds of different responses, and it's quite a fun little way, I think, of raising awareness in your organization about the need for sensible, strong passwords.
And it just tickled me a little bit when I came across this.
It's not going to set the world on fire, unlike most of my picks of the week, which frankly do change the future of civilization and set the world on a whole new axis.
Another one says, "You're joking, right?" So you get hundreds of different responses, and it's quite a fun little way, I think, of raising awareness in your organization about the need for sensible, strong passwords.
And it just tickled me a little bit when I came across this.
It's not going to set the world on fire, unlike most of my picks of the week, which frankly do change the future of civilization and set the world on a whole new axis.
Always for the better. Always for the better.
Let's not forget when I recommended Paddington 2 or the Phoenix and other things, or lots of chess-related stuff.
This is simply the passive-aggressive password machine, and it will entertain you for approximately 20 seconds. And that is why it is my pick of the week. Tommi, over to you.
What's your pick of the week?
This is simply the passive-aggressive password machine, and it will entertain you for approximately 20 seconds. And that is why it is my pick of the week. Tommi, over to you.
What's your pick of the week?
My pick of the week is a website run by Tae In Ahn. I hope I pronounced it correctly.
She calls herself collection specialist at the Costume Institute at— and now we come to my pick of the week— instagram.com/eBayBay. eBay before anything else.
You may wonder what you find there. Quite entertaining content, all coming from eBay.
She calls herself collection specialist at the Costume Institute at— and now we come to my pick of the week— instagram.com/eBayBay. eBay before anything else.
You may wonder what you find there. Quite entertaining content, all coming from eBay.
Oh, I've already seen something wonderful there. Yes, me too. It's not—
Oh, it's not only that you would think of, yeah, oh, these offerings have been made by some LSD speed crackheads, whatever.
So yes, so this is a curated— it is weird curation of random stuff available on eBay, such as life-size wolf boy display sideshow freak gaff. For $149.
And basically it's a mannequin with lots of hair all over its face.
And basically it's a mannequin with lots of hair all over its face.
Exactly. I'm looking at the tropical parrot toilet paper holder, Carole.
That's also a nice one. Also nice.
Which I'm thinking your birthday's coming up. So that's a possibility.
Should we make a deal and buy one thing from this page for each of our birthdays?
So these are just loads of links to crazy stuff on eBay with crazy, crazy prices. Oh my goodness, yes, I didn't look at the prices.
Look at the prices. For instance, the USA-shaped sunglasses for just $320.45. Who else did not want these? I mean, I ask you sincerely.
It has here 100% authentic Christiania and your Rasta Bob Marley bustier thong set for $1,690. Oh, it's for a Barbie.
Oh, so it wouldn't fit me.
Okay. Interesting pick of the week.
Yes.
You could spend a lot of time on here.
I am wondering, so how did you find this exactly?
I'm not allowed to tell you.
It's classified.
It's classified. It's his, isn't it?
It's his.
Tommi runs the site. Tommi frickin' runs the site.
Carole, I hope you're going to raise the tone at this point with a quality pick of the week. I think you may well win this week.
Yes.
Let's hear what it is.
Yes, I'm definitely going to win this week. So I would like to showcase a pretty kick-ass browsing app called Brave.
Oh yeah.
It's— oh, you used it? You already know everything about it? What, you're just bored now? I can hear it in your tone.
Second name is Brave.
Jeez, can you just pretend?
Oh, what's Brave? Carole Theriault, what's Brave?
Thank you. God, so much to ask. It's designed to be an alternative to free browsers powered by advertising revenue. Now, it relies on Google's open source Chromium project.
And at the moment, this is how it plans to make money. So it's beta testing a system to reward publishers called Brave Payments.
This system would allow a user to set a budget that they're willing to donate to websites they spend time on.
Brave would effectively calculate the percentage assigned to each website through an algorithm that maybe says how often you go there, how long you stay there, how many services you use.
And then the publisher of the website would receive a transfer in cryptocurrencies should they choose to opt into the system. So apparently all this is going to be optional.
And I kind of like this idea. Now on top of that, it's really quick. I noticed a difference with the VPN turned on compared to other browsers I've used, other browsing apps.
You can assign it to a variety of different search engines. So it's a nice big list from things like Bing and Google all the way to DuckDuckGo and Startpage.
And there's a whole host of privacy and security features that you can toggle on and off to stop tracking and ads.
And I suggest maybe if you want to learn more about the security features, you go to another security podcast called The Complete Security and Privacy Podcast, episode 63.
And at the moment, this is how it plans to make money. So it's beta testing a system to reward publishers called Brave Payments.
This system would allow a user to set a budget that they're willing to donate to websites they spend time on.
Brave would effectively calculate the percentage assigned to each website through an algorithm that maybe says how often you go there, how long you stay there, how many services you use.
And then the publisher of the website would receive a transfer in cryptocurrencies should they choose to opt into the system. So apparently all this is going to be optional.
And I kind of like this idea. Now on top of that, it's really quick. I noticed a difference with the VPN turned on compared to other browsers I've used, other browsing apps.
You can assign it to a variety of different search engines. So it's a nice big list from things like Bing and Google all the way to DuckDuckGo and Startpage.
And there's a whole host of privacy and security features that you can toggle on and off to stop tracking and ads.
And I suggest maybe if you want to learn more about the security features, you go to another security podcast called The Complete Security and Privacy Podcast, episode 63.
Yeah, whoa, whoa, whoa. There's another security podcast?
Yes, there is. There's a few of them out there. That's why we're not numero uno. Anyway, this is an interesting episode.
If you want to learn more about, you know, a deep dive into the security features of Brave, check it out. And I've been using it for a few weeks and I love it.
And my backend guru of a brother, an Android user, also gave it a thumbs up. Mind, he is a bit annoyed about being the butt end of all our jokes last week.
If you want to learn more about, you know, a deep dive into the security features of Brave, check it out. And I've been using it for a few weeks and I love it.
And my backend guru of a brother, an Android user, also gave it a thumbs up. Mind, he is a bit annoyed about being the butt end of all our jokes last week.
There it is again. So juvenile. Well, on that bombshell, it's just about wrapped it up, hasn't it?
Tommi, if people want to follow you online, where's the best way for them to do that?
Tommi, if people want to follow you online, where's the best way for them to do that?
Oh, probably if it's security related, it might be Twitter, and the address is quite easy. It's SecureTommi.
Oh, nice. And Tommi is with an I, not a Y, correct? Yes. Okay. And you can follow us on Twitter @SmashingSecurity. That's Smashing Security without a G. No G.
Twitter wouldn't allow us to have a G. And you can go and buy stickers and t-shirts and all kinds of goodies at smashingsecurity.com/store as well.
And until next time, I guess all I have to— oh, one thing we have to ask you to do, if you like the show, rate us on Apple Podcasts. It does help new listeners discover the show.
Twitter wouldn't allow us to have a G. And you can go and buy stickers and t-shirts and all kinds of goodies at smashingsecurity.com/store as well.
And until next time, I guess all I have to— oh, one thing we have to ask you to do, if you like the show, rate us on Apple Podcasts. It does help new listeners discover the show.
It does. It's lovely getting them. I love it, love it, love it. Thank you to all of you who take the time to write.
I particularly like the ones who leave comments about Kroll. Those are the ones I like to read the most. No, they're all nice comments.
They haven't all.
They haven't always, but normally they're quite nice. Until next time, cheerio, bye-bye. Bye-bye.
Toodle-oo. Hey, Graham, we didn't talk about the Secure Tour, our big live tour.
We're doing a big live tour which we're going up and down the country— Cambridge, London, Manchester, Edinburgh.
That one, that one, we didn't bring it up at all because we're so modest. That was very good of us.
But if people wanted to see us, they could probably find all the details out on our website, right?
But if people wanted to see us, they could probably find all the details out on our website, right?
Yeah, smashingsecurity.com/live.
But— Okay, but let's not bore them with the details.
I'd be surprised if there are any tickets left, to be honest.
It will be an interesting experiment, especially if it confirms the prediction that Facebook usage is inversely proportional to productivity…which has certainly been my experience.
Concerning the inconvenience to companies that rely on Facebook for customer support and interaction, they need a wake up call anyway. I can understand the utility of Facebook as a vehicle for raising awareness of products and services. But when I find a company that relies exclusively on Facebook for support or other interactions, I'm outraged. How dare they require me to compromise my privacy and security for normal customer interactions?
Still, Facebook unquestionably fills a market need. The question is whether a state-run Facebook clone is a better option. The presumption that political states are qualified to provide the service of government (protection of lives and other property…including privacy) has been at the root of much misery in the past—a condition that continues into the present.
This one is worth watching. Maybe Papua New Guinea can actually design & operate a social networking service that manages to avoid the excesses of command-and-control statism, but I'm skeptical. I'll have to see it to believe it.
Was the press release made available in the other official languages of PNG? Wikipedia says that Tok Pisin is the most widely used.