As Chrome’s tenth birthday is celebrated, Google has released a new edition of the world’s most popular desktop browser. Chrome 69 has been rolled out with a strong password generator, rounder tabs, new icons, and other user interface changes.
It’s certainly been a successful ten years for the Chrome browser. In the late-1990s and early 2000s, most of us were using Netscape and then Internet Explorer on our desktop PCs. Today, it’s overwhelmingly Chrome.
But whatever browser you choose to run, chances are that it’s not just the browser. You’re also very likely to be running third-party extensions and plugins to boost the browser’s abilities, tweak its behaviour, and enhance your online security.
What many people don’t realise is that these extensions can themselves present a security risk, and – when you look into it – it’s pretty terrifying just how much a browser extension can do.
An ad blocker, for instance, can read and change all your data on the websites that you visit. It *has* to be able to have that ability to let it block website ads. When you install a browser extension, you’re placing a lot of trust in it never turning evil.
One popular service which has its own Chrome browser extension is Mega.nz – the cloud-based file-sharing service founded by the shadowy larger-than-life figure of Kim Dotcom (he severed all ties with Mega three years ago.)
This week, as ZDNet reports, the official Chrome browser extension for Mega.nz was compromised with a malicious update.
User of the extension received an automatic update which requested more permissions, including the ability to “read and change all your data on the websites that you visit.” In all likelihood many users simply clicked through the warning.
That, of course, was a big mistake.
The malicious edition of the Mega.nz extension started stealing login usernames, passwords, and cryptocurrency private keys from Chrome users – stealing information from surfers as they used sites such as Amazon, Google, Microsoft, GitHub, MyEtherWallet, MyMonero, and the cryptocurrency trading platform IDEX.
And to where was the sensitive data being siphoned? A Ukrainian server.
The suspicion has to be that Mega.nz’s account in the Chrome web store was somehow hacked. Was phishing to blame? A weak password? A reused password? A hack at Mega.nz? We just don’t know, and for now no-one’s saying.
The malicious version of the Mega.nz extension was available for Chrome users for some hours, and users who were updated during that time may have had credentials and private keys stolen from them. Mega.nz says it has now been removed, and is at pains to point out that the Firefox version of the extension is not affected.
Mega.nz, it seems, is placing some of the blame at Google itself – claiming that the security measures in place for extensions in the Chrome web store are weaker than those for, say, Firefox:
We would like to apologise for this significant incident. MEGA uses strict release procedures with multi-party code review, robust build workflow and cryptographic signatures where possible. Unfortunately, Google decided to disallow publisher signatures on Chrome extensions and is now relying solely on signing them automatically after upload to the Chrome webstore, which removes an important barrier to external compromise. MEGAsync and our Firefox extension are signed and hosted by us and could therefore not have fallen victim to this attack vector. While our mobile apps are hosted by Apple/Google/Microsoft, they are cryptographically signed by us and therefore immune as well.
If you run the Mega.nz Chrome extension, change the passwords for all online accounts you may have logged into while the trojanized version was active. Make sure the new passwords are unique, and hard to crack.
To hear more discussion about this issue, be sure to check out the “Smashing Security” podcast:
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
No, come on, what are you talking about?
No, no, I'm serious. So the phone does a very high-pitched squeak that you can't hear outside your hearing.
But if they're having a conversation with someone and asking them, "When was the Battle of Hastings?" When?
What?
What?
It's not like they can say it in a really high-pitched tone, is it? It's not like they're a dolphin.
Smashing Security, Episode 94: Rogue Browser Extensions, Twitter Presence, and How to Cheat in Exams with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security, Episode 94. My name is Graham Cluley.
Smashing Security, Episode 94: Rogue Browser Extensions, Twitter Presence, and How to Cheat in Exams with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security, Episode 94. My name is Graham Cluley.
I'm Carole Theriault.
And we are joined this week by a returning guest, technology journalist, our very own Inspector Gadget. It is David McClelland. Hello, David.
Hello, Go-Go Gadgets, something or other. I can't quite think what. Go-Go Gadget Arms.
Yes, I'm surrounded on my desk by a ton of gadgets that I haven't managed to pack away yet because I've just moved house, living in the sticks like your good selves.
And yeah, I haven't done all that well with the packing up yet.
Yes, I'm surrounded on my desk by a ton of gadgets that I haven't managed to pack away yet because I've just moved house, living in the sticks like your good selves.
And yeah, I haven't done all that well with the packing up yet.
Hey, we live in Oxford. That's hardly the sticks, man. It's not like all carts and haystacks here. This is— especially Carole. Carole, you're very urban, aren't you?
Oh, I am. It's HQ. Yeah, this is the hive. Yeah, in the middle.
Well, we're pleased that you've got a decent internet connection out there, David.
Well, yes, I live on the side of a hill in the middle of a forest with no cell phone connection whatsoever.
But I do have fibre broadband, which, touch wood, has been pretty stable so far.
But I do have fibre broadband, which, touch wood, has been pretty stable so far.
I'm jealous.
You're jealous, Carole? Is your internet a bit rubbish?
No, no, I'm jealous of having a view of trees and, you know, hills, greenery.
I'll send you a view. We have the most beautiful view over—
You've already sent me one.
Oh, I have, haven't I? I'm so sorry.
You've already rubbed my face in it.
Carole, you've got a view of a multi-storey car park and— Is it a Lidl or something that's near you?
Yeah, yeah, this is okay. Yeah.
Actually, I shouldn't identify your location too much. Like, people could narrow it down from that.
Yeah, very much so. We'll just get rid of this bit.
Yeah.
Yeah. But thanks.
Yeah.
Okay, good.
Good.
Many of us have worked in big companies, right? And we know that it only takes one person to make a boo-boo to allow the hackers in.
Imagine running a company, hiring new staff, and worrying that one of them might bring their bad password habits into the office. Horrendous! Nightmare!
That's one of the reasons why businesses small and large need a password management solution like LastPass Enterprise.
LastPass brings a vast array of features for enterprise users, including company-wide policies, reporting, user groups and roles, and new support for Microsoft Active Directory.
As an administrator, you can create highly secure passwords for your new starters right from the onset. Means no snafus.
Listeners can check it out themselves by visiting lastpass.com/smashingsecurity. No more password snafus, no more boo-boos, just LastPass.
Well, happy, happy birthday to the Chrome browser. 10 this week, 10 years since the Chrome browser came out. It's incredible, isn't it?
Imagine running a company, hiring new staff, and worrying that one of them might bring their bad password habits into the office. Horrendous! Nightmare!
That's one of the reasons why businesses small and large need a password management solution like LastPass Enterprise.
LastPass brings a vast array of features for enterprise users, including company-wide policies, reporting, user groups and roles, and new support for Microsoft Active Directory.
As an administrator, you can create highly secure passwords for your new starters right from the onset. Means no snafus.
Listeners can check it out themselves by visiting lastpass.com/smashingsecurity. No more password snafus, no more boo-boos, just LastPass.
Well, happy, happy birthday to the Chrome browser. 10 this week, 10 years since the Chrome browser came out. It's incredible, isn't it?
Mm-hmm.
I don't know if you guys— do you remember the browsers you were using in the mid-1990s and the late 1990s? Things like Netscape and all of those.
Definitely Netscape for me.
That was the first one that I remember using, but I remember very clearly when Chrome came out, I was living in Holland at the time, 10 years ago, and the whole concept of having multi-tabbed browsers seemed quite revolutionary at the time.
I know, it just seems that I must have maybe a million tabs open at the moment. And the idea of just not having that, it has changed the way that I use the web, certainly.
That was the first one that I remember using, but I remember very clearly when Chrome came out, I was living in Holland at the time, 10 years ago, and the whole concept of having multi-tabbed browsers seemed quite revolutionary at the time.
I know, it just seems that I must have maybe a million tabs open at the moment. And the idea of just not having that, it has changed the way that I use the web, certainly.
Well, just this week, a brand new version of Chrome came out and it included some interesting features, strong password generator, rounder tabs, and other user interface changes.
Rounder tabs?
Yes, I know.
That's one of their top selling points?
Yeah, you know, people are impressed by bells and whistles quite often, aren't they?
Just a simple change to the canvas or altering some of the icons and people go, "Ooh, yes, I want that." And sometimes that is what encourages people to switch, I suppose.
Just a simple change to the canvas or altering some of the icons and people go, "Ooh, yes, I want that." And sometimes that is what encourages people to switch, I suppose.
Okay, fine. Still lame.
But whatever browser you might be using, chances are you're not just using the pure vanilla browser.
You're probably also running third-party extensions and plugins which can boost your browser's capabilities, tweak its behavior, and maybe give you some other benefits.
You're probably also running third-party extensions and plugins which can boost your browser's capabilities, tweak its behavior, and maybe give you some other benefits.
Yeah, give you loads of gizmos. I've got tons running.
Right, I've got a few running as well on mine, and I think it's perfectly normal to do that. You know, you might, for instance, have an ad blocker.
One might.
Yeah, hopefully you do. One might have a password manager.
But all of these, even if they're security-focused, they can actually be a security risk because it's terrifying just how much power a browser extension can have and what it's capable of doing.
But all of these, even if they're security-focused, they can actually be a security risk because it's terrifying just how much power a browser extension can have and what it's capable of doing.
Oh no.
So an ad blocker, for instance, if you think about it, it has the ability to read and change all of the data on the websites that you visit because it has to be able to tell there's an ad there and then it has to be able to remove it.
Which means it can technically read everything that you're reading too, right?
Which means it can technically read everything that you're reading too, right?
Mm-hmm.
And it needs to do that to do its job. So you're putting a lot of trust in your browser extensions not to turn evil.
And I'm afraid there is a browser extension for a popular service which did turn evil this week.
The extension for Mega.nz, which is the file sharing service, cloud-based service founded by that larger than life figure Kim Dotcom, although he's no longer connected with Mega.
And I'm afraid there is a browser extension for a popular service which did turn evil this week.
The extension for Mega.nz, which is the file sharing service, cloud-based service founded by that larger than life figure Kim Dotcom, although he's no longer connected with Mega.
Jesus, pot kettle.
You said I'm larger than life, Carole.
You certainly are in so many ways.
Charming.
Well, this week, the official browser extension for Mega was compromised, and there was an automatic update for the extension which was received on users' desktops, which requested more permissions, including the ability to read and change all the data on the websites that you visit.
And in all likelihood, most users would just click through and say, yeah, yeah, yeah. You know, I use the Mega.nz extension because it helps me download stuff from the service.
Well, this week, the official browser extension for Mega was compromised, and there was an automatic update for the extension which was received on users' desktops, which requested more permissions, including the ability to read and change all the data on the websites that you visit.
And in all likelihood, most users would just click through and say, yeah, yeah, yeah. You know, I use the Mega.nz extension because it helps me download stuff from the service.
And people are being inundated with GDPR requests every time they go anywhere. I certainly am. So I can see how people would just go, yes, accept, go, go, go, accept, accept, accept.
I know that was the big irony, wasn't it? That all these companies were told that you have to tell your users what you're doing with the data.
And we were so bombarded with all these messages that you're just like, whatever, you know, just get rid of it.
So you still aren't informed as to what most of these services are actually doing. Technically you have been, legally you have been, but never actually read them.
And we were so bombarded with all these messages that you're just like, whatever, you know, just get rid of it.
So you still aren't informed as to what most of these services are actually doing. Technically you have been, legally you have been, but never actually read them.
Not in all cases. Some of them are absolutely awful. Anyway.
So many people have just accepted this MegaNZ update, and that of course was a big mistake because this malicious version of that Chrome extension started to steal information.
So it wasn't the bona fide plugin or extension? It was—
The bona fide one was replaced by this bogus malicious one. So it's not as though people downloaded the wrong one and installed it on their device thinking it was the real one.
It was pushed out to them. If they were originally using the genuine article, they had now been effectively infected by a bad one.
And it was stealing usernames, passwords, cryptocurrency, private keys, and it would activate on sites like Amazon, Google, where you may have your email, for instance, Microsoft, GitHub.
It was pushed out to them. If they were originally using the genuine article, they had now been effectively infected by a bad one.
And it was stealing usernames, passwords, cryptocurrency, private keys, and it would activate on sites like Amazon, Google, where you may have your email, for instance, Microsoft, GitHub.
Oh no.
And so potentially the criminals could not only mess around with your Amazon or read your emails, they could even maybe change your software projects, which you might be working on on GitHub, change your code, and it could also steal private keys for your cryptocurrency.
So when you say potentially, did they— did it steal stuff? We don't know.
It was stealing the credentials and it was stealing the private keys. And what then was done with that information which it's stolen, we don't know. Who knows?
So where did the data end up going to then?
Well, the data was being secretly and silently siphoned off to a Ukrainian server, and who knows if that was a proxy for someone else somewhere else in the world.
We simply do not know, but the data has gone.
We simply do not know, but the data has gone.
This is a nightmare.
Well, it's a real problem if you happen to have this particular extension installed.
Yeah.
You know, the presumption is that their account was hacked and whether that was phishing or they chose a dumb password or reused a password, we don't know.
And for now, nobody's saying, but the extension was up for some hours and users who were updated during that time period may have had their credentials and private keys stolen.
There could be follow-on impacts from that. And that obviously is not good. The good news is the Firefox version of the extension is not affected.
This is purely the Chrome extension, in fact—
And for now, nobody's saying, but the extension was up for some hours and users who were updated during that time period may have had their credentials and private keys stolen.
There could be follow-on impacts from that. And that obviously is not good. The good news is the Firefox version of the extension is not affected.
This is purely the Chrome extension, in fact—
I'm expecting a press release any day now.
From the guys at Mozilla saying, there we go, it's yet another— Well, you know what?
There might actually be a basis in fact there, because Mega are saying that Google themselves are partly to blame.
They are pointing out that the security measures in place on the Firefox plugin or extension area are stronger than those which are in place for the Chrome Web Store.
You even have a quote from a third party now too. Exactly, as endorsed by Mega. So yeah, you know, potentially there are improvements maybe which Google can make there.
So rather than rounding off all those tabs—
There might actually be a basis in fact there, because Mega are saying that Google themselves are partly to blame.
They are pointing out that the security measures in place on the Firefox plugin or extension area are stronger than those which are in place for the Chrome Web Store.
You even have a quote from a third party now too. Exactly, as endorsed by Mega. So yeah, you know, potentially there are improvements maybe which Google can make there.
So rather than rounding off all those tabs—
Right!
There you are, Carole, you see, you're absolutely right.
Rather than rounding the tabs and doing all those fancy icons and things like that, changing those, maybe they need to get their house a bit more in order.
So some takeaways for everyone here. First one, browser extensions, even the ones that are supposed to be keeping you safe, they've got an enormous amount of power.
If an extension goes rogue, everything you do in your browser is now compromised.
So Google Chrome itself is a pretty secure browser, and they've got real experts working on the security of it.
But you are plugging in code written by third parties who may be rubbish at security, who may not have properly looked after their code, or maybe aren't looking after their accounts properly, and you're running that on your computer.
So you are increasing your threat surface, as the marketing people like to call it, by increasing the number of extensions you run on your browser.
Rather than rounding the tabs and doing all those fancy icons and things like that, changing those, maybe they need to get their house a bit more in order.
So some takeaways for everyone here. First one, browser extensions, even the ones that are supposed to be keeping you safe, they've got an enormous amount of power.
If an extension goes rogue, everything you do in your browser is now compromised.
So Google Chrome itself is a pretty secure browser, and they've got real experts working on the security of it.
But you are plugging in code written by third parties who may be rubbish at security, who may not have properly looked after their code, or maybe aren't looking after their accounts properly, and you're running that on your computer.
So you are increasing your threat surface, as the marketing people like to call it, by increasing the number of extensions you run on your browser.
That's not a nice takeaway. That just makes us all feel a bit—
All right.
Oh.
Well, yeah, I'm just— okay, we're going to get to the good stuff in a moment.
Now, the other thing is, of course, sometimes you may have a browser extension installed and the ownership of that browser extension may change.
The company may change, the developers may change, it may get sold on to someone else.
So it may no longer be the same developer who you originally thought was writing the extension, and it may be someone less benevolent.
So always be wary when a browser extension asks for increased permissions.
So normally your browser will pop up and say, this extension is now asking, you know, to scoop up all the information on every web page you visit.
You can ask yourself, well, you know, do I really want it doing that or not? Is there a justified case for it?
And maybe there is with some extensions like ad blockers, but, you know, be careful because other extensions may not need that.
And if they suddenly start requesting it, then that suggests that something has changed in their underlying code.
Keep the number of extensions you run in your browser to a minimum, and if you're an extension developer, remember that you've got a responsibility to secure your code, secure your account, so that others can't exploit it and maybe spread their attack in such a wide fashion.
Now, the other thing is, of course, sometimes you may have a browser extension installed and the ownership of that browser extension may change.
The company may change, the developers may change, it may get sold on to someone else.
So it may no longer be the same developer who you originally thought was writing the extension, and it may be someone less benevolent.
So always be wary when a browser extension asks for increased permissions.
So normally your browser will pop up and say, this extension is now asking, you know, to scoop up all the information on every web page you visit.
You can ask yourself, well, you know, do I really want it doing that or not? Is there a justified case for it?
And maybe there is with some extensions like ad blockers, but, you know, be careful because other extensions may not need that.
And if they suddenly start requesting it, then that suggests that something has changed in their underlying code.
Keep the number of extensions you run in your browser to a minimum, and if you're an extension developer, remember that you've got a responsibility to secure your code, secure your account, so that others can't exploit it and maybe spread their attack in such a wide fashion.
And just to add to that, I mean, just while you were talking there, Graham, I've got Chrome open right now. I've been Googling.
Well, actually, no, I haven't so much, but I opened up to have a look at the extensions that I have installed in my Chrome browser right here. And do you know what?
There are quite a few here that I installed many, many moons ago, maybe 2 or 3 at a time, to try and do a particular thing, whether it's email the page that I'm on right now to myself or whatever it is.
And there's some here that I don't really remember. I certainly haven't used for an awfully long time.
And, you know, I probably wouldn't even realize if some of these had turned rogue until it was too late.
So not only be careful about extensions that you install, but every now and then do a little bit of housekeeping and go, actually Bitly or Flash Control, I haven't used that for months, haven't used it for years.
Well, actually, no, I haven't so much, but I opened up to have a look at the extensions that I have installed in my Chrome browser right here. And do you know what?
There are quite a few here that I installed many, many moons ago, maybe 2 or 3 at a time, to try and do a particular thing, whether it's email the page that I'm on right now to myself or whatever it is.
And there's some here that I don't really remember. I certainly haven't used for an awfully long time.
And, you know, I probably wouldn't even realize if some of these had turned rogue until it was too late.
So not only be careful about extensions that you install, but every now and then do a little bit of housekeeping and go, actually Bitly or Flash Control, I haven't used that for months, haven't used it for years.
Get rid of them.
Exactly.
Yeah, and some of them you just mentioned, for instance, an extension which emails you a link to the page you're currently looking.
That basically says to me, you're a bit lazy, David, and you could be just doing a copy and paste of the URL and bunging it in an email to yourself.
That basically says to me, you're a bit lazy, David, and you could be just doing a copy and paste of the URL and bunging it in an email to yourself.
I was just about to say, isn't it nice that Graham's your little fairy godmother? But now I'm taking it back. A bit harsh there, Clue.
I'm all about saving myself a few clicks, Carole.
And, you know, if it means I'm not having to, you know, open up my mail browser, do a copy and paste, if I can just tap one button and save myself 20 seconds and do that 10 times a day, then I'm happy.
Even if you aren't, Graham.
And, you know, if it means I'm not having to, you know, open up my mail browser, do a copy and paste, if I can just tap one button and save myself 20 seconds and do that 10 times a day, then I'm happy.
Even if you aren't, Graham.
I need to apologize for not waving my wand in the direction of David McClelland.
Right. Twinkle toes.
Twinkle toes. Thank you. That's much nicer than being called larger than life. Appreciate that, Carole. Okay, David, what's your story for us this week?
Well, it's funny you talk about prioritization there and things that Chrome perhaps should be working on rather than things that it actually is.
Looking on another platform, news surfaced last week that social network Twitter, who I think Twitter's investors are surely the only ones who are still chirpy about Donald Trump's ongoing presidency, Twitter has been testing some new features, it turns out.
And one of these features, I personally think, in one fell swoop fundamentally changed the entire dynamic of the interactions on Twitter and make it even more of a magnet than it already is for unsociable behavior.
So it was a post by, I think she's Director of Product Management at Twitter, Sarah Haider, revealed that alongside threaded replies, and replies and threads are already a real mess on Twitter if you ask me, that Twitter is also testing something called presence.
Now, Carole, that's not birthday or Christmas presents or presents for good behaviour. Oh, thank you, James. Sorry about that.
Instead, it's a little green dot that indicates whether you are online at that moment in time.
Now, on the one hand, you could see that this is a fairly minor change that might increase the sense of immediacy of the conversations that take place on there.
And it's all going to maybe grow the engagement that I'm sure Twitter's owners and investors want to see on the platform.
But I think that subtle change makes a huge difference in a number of ways. Inasmuch as, you know, if you see somebody's online, you expect a response from them.
It's like a read receipt on an email or iMessage or WhatsApp. Twitter becomes a bit too much of a messaging platform. You know, it's like, well, I know that you saw my @reply.
Why didn't you respond to it? I don't want to live my Twitter life like that. I've got enough platforms where that's the case already. Thank you very much.
Looking on another platform, news surfaced last week that social network Twitter, who I think Twitter's investors are surely the only ones who are still chirpy about Donald Trump's ongoing presidency, Twitter has been testing some new features, it turns out.
And one of these features, I personally think, in one fell swoop fundamentally changed the entire dynamic of the interactions on Twitter and make it even more of a magnet than it already is for unsociable behavior.
So it was a post by, I think she's Director of Product Management at Twitter, Sarah Haider, revealed that alongside threaded replies, and replies and threads are already a real mess on Twitter if you ask me, that Twitter is also testing something called presence.
Now, Carole, that's not birthday or Christmas presents or presents for good behaviour. Oh, thank you, James. Sorry about that.
Instead, it's a little green dot that indicates whether you are online at that moment in time.
Now, on the one hand, you could see that this is a fairly minor change that might increase the sense of immediacy of the conversations that take place on there.
And it's all going to maybe grow the engagement that I'm sure Twitter's owners and investors want to see on the platform.
But I think that subtle change makes a huge difference in a number of ways. Inasmuch as, you know, if you see somebody's online, you expect a response from them.
It's like a read receipt on an email or iMessage or WhatsApp. Twitter becomes a bit too much of a messaging platform. You know, it's like, well, I know that you saw my @reply.
Why didn't you respond to it? I don't want to live my Twitter life like that. I've got enough platforms where that's the case already. Thank you very much.
Because we all love those emails, don't we, with read receipts or those ones where people put those secret tracking pixels in.
In fact, that's something which some people probably put a browser extension in place to try and prevent from happening.
In fact, that's something which some people probably put a browser extension in place to try and prevent from happening.
I certainly do. That is one of the extensions that I do have enabled, although that's got access to my complete Gmail inbox. Anyway, that's another story.
So I come to Twitter to chill, to take in information, to, you know, get access to news stories. Twitter and chill. Twitter and chill, yes.
So I come to Twitter to chill, to take in information, to, you know, get access to news stories. Twitter and chill. Twitter and chill, yes.
We're so middle-aged.
That's as good as it gets. I know. But I certainly don't go to Twitter for a guilt trip. You know, sometimes I don't want to reply to conversations, at least not immediately.
I want to do them in my own time. And a change like this, certainly would change that. But also, not everybody on Twitter plays nicely, and it's— Really? Yeah, really.
And there were certainly a lot of objections to this post from Sarah all across the internet.
So, for example, if I'm a troll— and I disagree with the term troll for various reasons, that's another story— but if I'm a troll—
I want to do them in my own time. And a change like this, certainly would change that. But also, not everybody on Twitter plays nicely, and it's— Really? Yeah, really.
And there were certainly a lot of objections to this post from Sarah all across the internet.
So, for example, if I'm a troll— and I disagree with the term troll for various reasons, that's another story— but if I'm a troll—
I'm quite interested in that.
Oh, okay.
Are you from the Royal Society of Prevention of Cruelty to Trolls or something?
He's probably in pantomimes, and he probably has to play the troll and doesn't want to be disdained.
Not this year. I do really like the film Trolls, but I think that's fantastic.
No, if we're going there, then trolling for me is a very specific kind of online interaction if you look back at the history of it.
And I think trolling is used as a bit of a shorthand for what is often online abuse. Yeah, it's hate speech, it's misogyny, it's sexism, it's racism.
And I think if we are going to stamp this stuff out on the internet, then we need to name that stuff what it is.
And sugarcoating it with the term trolling which can also mean more provocative, more playful interactions, I think is the wrong thing.
If it's hate speech, it's hate speech, and call it that.
No, if we're going there, then trolling for me is a very specific kind of online interaction if you look back at the history of it.
And I think trolling is used as a bit of a shorthand for what is often online abuse. Yeah, it's hate speech, it's misogyny, it's sexism, it's racism.
And I think if we are going to stamp this stuff out on the internet, then we need to name that stuff what it is.
And sugarcoating it with the term trolling which can also mean more provocative, more playful interactions, I think is the wrong thing.
If it's hate speech, it's hate speech, and call it that.
I'm with you, brother. Yeah, agree with that.
But I don't— I have never thought of the word trolling as a sugarcoating. I think it has a really yucky connotation.
No, I've never heard it in any kind of positivity way that I thought, oh yeah, cool, thumbs up on that one.
No, I've never heard it in any kind of positivity way that I thought, oh yeah, cool, thumbs up on that one.
Yeah, I mean, I've done various bits TV and investigations and stuff into trolling, in particular the history of trolling, the history of chat rooms, and the way that certain corners of the internet like to poke fun to try and get reactions from people.
And sometimes I think that that is— calling it healthy is perhaps a little bit too cozy, but sometimes it's not altogether a bad thing.
But if my intent is to abuse, if my intent is to harm somebody, to cause them emotional hurt, that isn't trolling in my book. It's hate crime. So there we go.
And sometimes I think that that is— calling it healthy is perhaps a little bit too cozy, but sometimes it's not altogether a bad thing.
But if my intent is to abuse, if my intent is to harm somebody, to cause them emotional hurt, that isn't trolling in my book. It's hate crime. So there we go.
Graham, be careful.
Anyway, there's a lot of that that takes place on Twitter. I think we all agree with that.
And if I can see that somebody is online, if I got that little green light that says that that person is online, then maybe I can start targeting them.
I can start hounding them, or maybe using that information about when they are and aren't online and offline to start build a profile about them for, I don't know, identity fraud or whatever.
And then I did see a tweet.
It was from Rob_Sheridan, and he replied to Jack, @JackDorsey, who's the big boss at Twitter, said, okay, everyone, Twitter has a serious problem with harassment and abuse.
Please fix it. Twitter, we're listening, and we've decided to make it easier for abusers to know when you're online. Yeah, so that's a bit of a shame.
So I guess this is a feature of Twitter that's just being tried out. As Sarah, to be fair, did say, will it be turned on by default? Would it be something you have to enable?
Graham, I saw also on Twitter that you, ever the consumer champion, you actually waded in directly with Sarah on this point, didn't you?
And if I can see that somebody is online, if I got that little green light that says that that person is online, then maybe I can start targeting them.
I can start hounding them, or maybe using that information about when they are and aren't online and offline to start build a profile about them for, I don't know, identity fraud or whatever.
And then I did see a tweet.
It was from Rob_Sheridan, and he replied to Jack, @JackDorsey, who's the big boss at Twitter, said, okay, everyone, Twitter has a serious problem with harassment and abuse.
Please fix it. Twitter, we're listening, and we've decided to make it easier for abusers to know when you're online. Yeah, so that's a bit of a shame.
So I guess this is a feature of Twitter that's just being tried out. As Sarah, to be fair, did say, will it be turned on by default? Would it be something you have to enable?
Graham, I saw also on Twitter that you, ever the consumer champion, you actually waded in directly with Sarah on this point, didn't you?
Yes, I did, because I was concerned as well that this might be turned on by default and that we'd have to opt out of it, which is the normal way that social networks work, isn't it?
And she replied saying, don't worry, users are going to have full control over the option. I thought, hang on, and she kept on saying you'll have full control of it.
I thought, well, what does that actually mean? Does that mean you'll have the full control to turn it off or full control to turn it on in the first place.
And I have to say, I was very pleased because she came back to me and she said, this will be opt-in, which is the right—
And she replied saying, don't worry, users are going to have full control over the option. I thought, hang on, and she kept on saying you'll have full control of it.
I thought, well, what does that actually mean? Does that mean you'll have the full control to turn it off or full control to turn it on in the first place.
And I have to say, I was very pleased because she came back to me and she said, this will be opt-in, which is the right—
Now leave me alone!
Yeah, stop bugging me, Graham. Stop harassing me online. But yes, she's saying that it's going to be opt-in.
So that, I have to say, I can't imagine this is a feature that many people will want, to be honest. But I'm pleased to hear that it's going to be opt-in rather than opt-out.
That's the right way round.
I imagine Twitter itself is seeing the success of services like WhatsApp and Facebook Messenger and maybe it wants to get more into this instant messaging kind of game as a way of growing itself.
There's obviously the concern that this feature may slowly creep in and may become the default in future.
So that, I have to say, I can't imagine this is a feature that many people will want, to be honest. But I'm pleased to hear that it's going to be opt-in rather than opt-out.
That's the right way round.
I imagine Twitter itself is seeing the success of services like WhatsApp and Facebook Messenger and maybe it wants to get more into this instant messaging kind of game as a way of growing itself.
There's obviously the concern that this feature may slowly creep in and may become the default in future.
You know what? I like that you used that word because that's what I think this is, creepy.
People might find it useful, but I think the creep factor of what does suggesting and how is it going to change our behavior online? And people are already a bit wary.
It's just asking more of us and tracking us more.
People might find it useful, but I think the creep factor of what does suggesting and how is it going to change our behavior online? And people are already a bit wary.
It's just asking more of us and tracking us more.
And as David says, there's so much unpleasantness on Twitter right now already. I can see this being abused.
So not in my echo chamber. I just have flowers, butterflies, trees.
Speaking of echo chambers, Graham, I also noticed that you have found a different echo chamber that you're trying to hang out in as well. Tell me about Mastodon.
Yeah, Mastodon's quite nice. Do you know what a mastodon is, Carole?
No, I have no idea.
I think a mastodon is some kind of elephant-like creature, like a mammoth or something like that. Anyway, Mastodon is a bit like Star Trek: The Next Generation.
So everybody likes each other, all the countries around the world. So it's a Twitter alternative. I haven't explained this very well.
So everybody likes each other, all the countries around the world. So it's a Twitter alternative. I haven't explained this very well.
It's—
No, I have no idea.
Mastodon is an alternative to Twitter and it's ad-free.
Free, and anyone can set up their own little Mastodon pod, which connects to all the other Mastodon pods, and you can post your little statuses.
You have up to 500 characters on Mastodon.
And there are third-party apps which aren't being blocked as to what they can do, whereas a lot of the Twitter apps at the moment are being basically having their goolies chopped off by Twitter and prevented from doing things.
Free, and anyone can set up their own little Mastodon pod, which connects to all the other Mastodon pods, and you can post your little statuses.
You have up to 500 characters on Mastodon.
And there are third-party apps which aren't being blocked as to what they can do, whereas a lot of the Twitter apps at the moment are being basically having their goolies chopped off by Twitter and prevented from doing things.
Are you sneaking your pick of the week in early?
No, no, this isn't my pick of the week, but I would say to people, you might want to try out Mastodon.
It's quite interesting, and certainly you get the feeling that it's being driven more by privacy concerns. And at the moment there's no Nazis who are pitching it.
It's quite interesting, and certainly you get the feeling that it's being driven more by privacy concerns. And at the moment there's no Nazis who are pitching it.
Or just kick social on the shins and, you know, go outside.
Well, yeah, a bit of vitamin D in everyone's diet never does any harm, does it?
Listen to a podcast while you're, you know, breathing the fresh air.
Yes, exactly.
Take the podcast.
Hallelujah.
Carole, what is your story for us this week?
Well, you guys may have seen other parents dancing in the streets as kids head back to school, right? I'm free! I'm finally free!
So to my memory, the first few weeks of school are pretty much a dawdle academically, right?
I mean, it's a while before students have to start facing the dreaded tests and examinations.
So to my memory, the first few weeks of school are pretty much a dawdle academically, right?
I mean, it's a while before students have to start facing the dreaded tests and examinations.
Right.
Tests and examinations. Some people really excel in those environments. I wasn't bad, but others might be well tempted to cheat, right, in these tests?
No, piff-paff, surely no one cheats.
Did you guys ever cheat? Seriously, time to come clean. Sorry, did you guys ever cheat in school?
So there's a bit of problem with the connection.
Okay, I'll ask David instead.
You're only cheating yourself.
Did you never cheat?
I don't think so. I mean, we literally had, you know, there were no calculators in our exams. It was pencils and paper and stuff, as I remember.
Okay, I cheated, and I'll tell you how I did it. Oh yeah, reveal how I did it.
Okay.
So I especially cheated in classes where I'd have to memorize terms and then remember how to spell them, right? Things like — I remember one was hemophiliac.
I just could never remember exactly how to get — I knew I'd get it mixed up. And there was another one was metamorphosis. That was another one.
And so how I pulled it off was using a sharp H2 pencil, which was very important.
I would write the word very tiny so my teacher probably wouldn't be able to read it on my eraser, my Staedtler eraser.
And then if I felt I was in the danger of getting caught, I would just frantically start erasing. Evidence gone. Boom, right?
I just could never remember exactly how to get — I knew I'd get it mixed up. And there was another one was metamorphosis. That was another one.
And so how I pulled it off was using a sharp H2 pencil, which was very important.
I would write the word very tiny so my teacher probably wouldn't be able to read it on my eraser, my Staedtler eraser.
And then if I felt I was in the danger of getting caught, I would just frantically start erasing. Evidence gone. Boom, right?
Don't try this at home, kids.
Well, they probably don't even use pencils and erasers anymore. Now cheating is on the rise. Apparently people cheating last summer was up 25% over the previous year.
And a recent report involving 25,000 students in the States reported that 95% of students said they participated in some form of cheating, be it a test, plagiarism, or copying homework.
And the culprit everyone is pointing the finger at is, I'm sure you can guess, technology, right? So say hello to what some people are calling smart cheating.
And a recent report involving 25,000 students in the States reported that 95% of students said they participated in some form of cheating, be it a test, plagiarism, or copying homework.
And the culprit everyone is pointing the finger at is, I'm sure you can guess, technology, right? So say hello to what some people are calling smart cheating.
Smart cheating.
Yep, I know. So it's not just phones, right? So there was a case of smart calculators being hacked to store lots and lots of cheat sheets.
Smart glasses can be used to send information to a third party, and then the answer arrives by text on your smartwatch.
Smart glasses can be used to send information to a third party, and then the answer arrives by text on your smartwatch.
I did used to know how to program my calculator to display the word boobies.
I could do that too.
Would have been useful in biology or something that, I expect.
I'm not sure that's the technical term.
Okay.
Now, some kids even use high-frequency ringtones. These are ringtones that are outside the hearing range of an adult.
What?
And they actually can answer the phone and get the answers and get some help.
No, come on, what are you talking about? These are people in the exam hall, yeah. And so the phone does a very high-pitched squeak.
That you can't hear, outside your hearing.
Okay, but presumably it's not outside my vision to see a student pick up their phone and say, "Yep, okay, so I've got question 14 here." Well, Graham, I don't know if you ever were in university doing a test in a big student hall.
I think you do know. But, you know, I do feel for the teachers. Spotting cheaters is difficult.
I think you do know. But, you know, I do feel for the teachers. Spotting cheaters is difficult.
But if they're having a conversation with someone and asking them, "When was the Battle of Hastings?" "When?"
What?
What?
What?" Yeah.
It's not they can say it in a really high-pitched tone, is it? It's not they're a dolphin.
So now even you can check out, if you're online, you're probably Googling still, David.
If you can go Google photomath.net, it's an app that you basically can put your phone over the actual math problem and it will just show the answer.
If you can go Google photomath.net, it's an app that you basically can put your phone over the actual math problem and it will just show the answer.
I'm looking at this now and I'm agog.
Great for math homework.
It's not just 2 and 2 is 4.
No.
There's some serious equations and squiggles that I've not got a clue about, frankly.
Oh, long division.
Yes! And there's—
Logarithms!
There's some cosines and tangents and square roots and all sorts of things. And this app, it's an augmented reality app, or Word Lens or whatever it is.
And it's just solving it almost instantly just by putting your phone to the math book.
And there's no explanation on this website about trying to pretend that it has a use other than just for cheating doing homework.
And it's just solving it almost instantly just by putting your phone to the math book.
And there's no explanation on this website about trying to pretend that it has a use other than just for cheating doing homework.
Yeah, so parents, when your kids run upstairs and bounce down the stairs five minutes later having finished their math homework, check their phone.
I'm looking at the website as well. It's got a little animated video on the front page. I mean, it is very impressive, this kind of technology.
But are people allowed to take their phones into exams?
But are people allowed to take their phones into exams?
Very good question. You fell into my trap, right? Because exactly, the easy answer seems just ban tech from the testing room.
But the problem is a lot of tests are now being given online. This makes the taking and the marking of the tests easier, and it makes them more standardized across the board.
And this is kind of important because students are basically relatively ranked to establish their academic standing or potential for university or post-education or jobs.
But how do you control the cheating? Many schools can't afford to hand out clean lockdown laptops to students for every test, right? Of course not.
And all these tests, of course, they can't — we're not talking air-gapped computers because these are online tests that require access to internet services.
So students are being asked to bring in their own laptops or devices. And here is the crux: how is the school supposed to lock down devices outside their immediate control?
But the problem is a lot of tests are now being given online. This makes the taking and the marking of the tests easier, and it makes them more standardized across the board.
And this is kind of important because students are basically relatively ranked to establish their academic standing or potential for university or post-education or jobs.
But how do you control the cheating? Many schools can't afford to hand out clean lockdown laptops to students for every test, right? Of course not.
And all these tests, of course, they can't — we're not talking air-gapped computers because these are online tests that require access to internet services.
So students are being asked to bring in their own laptops or devices. And here is the crux: how is the school supposed to lock down devices outside their immediate control?
Okay, so I've got a great answer for you. They could install a browser plugin, and the browser plugin would be mandatory to do the online test.
And that would be monitoring all your other tabs and other processes running on the — you'd have to give it a lot of power, of course, and you'd have to trust it that it didn't go rogue.
But that could make — we see this actually in — sorry to be nerdy for a moment — we see this actually in online chess tournaments because there's a big problem with people cheating in chess.
If I was a good chess player, I wouldn't be allowed to take my phone with me, and it would have to be switched off, and no technology hidden in the toilets.
But there's this problem now of online chess tournaments, and what some of the big sites do where you can watch the grandmasters playing each other is they have a webcam on the grandmaster as well, watching their face, and they actually monitor their eye movement, and they have other ways of determining whether there is dodginess going on, because of course it could be a little sneaky plugin in the corner which is processing the online chessboard and working out which the best move is.
And that would be monitoring all your other tabs and other processes running on the — you'd have to give it a lot of power, of course, and you'd have to trust it that it didn't go rogue.
But that could make — we see this actually in — sorry to be nerdy for a moment — we see this actually in online chess tournaments because there's a big problem with people cheating in chess.
If I was a good chess player, I wouldn't be allowed to take my phone with me, and it would have to be switched off, and no technology hidden in the toilets.
But there's this problem now of online chess tournaments, and what some of the big sites do where you can watch the grandmasters playing each other is they have a webcam on the grandmaster as well, watching their face, and they actually monitor their eye movement, and they have other ways of determining whether there is dodginess going on, because of course it could be a little sneaky plugin in the corner which is processing the online chessboard and working out which the best move is.
Now, Graham, I would like to ask you to get your big bag of popcorn and listen to this, because it's not as far-fetched. The same things are happening in school. All right, cool.
So, I have two examples. There's a number of examples out there because obviously this is a tech problem, right?
And of course, not far behind tech problems, there's all sorts of tech responses, especially if it's going to make some money.
So, there's a few little options out there, but I wanted to share two with you today.
And I want you two, because you both are daddies, so I want you to kind of think about, hey, if this was my kid with his device or her device, you know, how would I feel about this as a parent?
Okay. Example number 1, Microsoft. So under Windows 10, it has an offering called Take a Test. And, but you have a secure browser.
Effectively, they have their own user, which bans you from going to the desktop or accessing any copying and pasting or searching opportunities.
You're basically locked into that session. Oh, okay. Kind of maybe a guest session, you know, a kind of lockdown guest session on a computer. Right.
The only problem with that approach is, of course, it only works on Windows 10, right? Now, let me give you another example. This is an online company called ProctorU.
This is a digital—
So, I have two examples. There's a number of examples out there because obviously this is a tech problem, right?
And of course, not far behind tech problems, there's all sorts of tech responses, especially if it's going to make some money.
So, there's a few little options out there, but I wanted to share two with you today.
And I want you two, because you both are daddies, so I want you to kind of think about, hey, if this was my kid with his device or her device, you know, how would I feel about this as a parent?
Okay. Example number 1, Microsoft. So under Windows 10, it has an offering called Take a Test. And, but you have a secure browser.
Effectively, they have their own user, which bans you from going to the desktop or accessing any copying and pasting or searching opportunities.
You're basically locked into that session. Oh, okay. Kind of maybe a guest session, you know, a kind of lockdown guest session on a computer. Right.
The only problem with that approach is, of course, it only works on Windows 10, right? Now, let me give you another example. This is an online company called ProctorU.
This is a digital—
Proctor? ProctorU. Doctor Who? Proctor Who?
ProctorU. This digital service describes itself as the go-to source for online Identity and Exam Integrity. Sounds pretty good, right?
Now, they boast that ProctorU provides secure and live automated online proctoring services for academics and professional organizations, similar to what you were talking about, Graham.
Let me show you how this works. It's remote proctoring.
What I mean is there's a person in a remote location sitting and monitoring the student and the surroundings as they do the exam.
Now, I was looking around online, found a number of little complaints about ProctorU, so I started— I thought, go to their terms and services.
That's where they actually have to tell you exactly what's going on. And I'll paraphrase a bit, lose the legalese, but in the show notes you can read them for yourself.
So ProctorU will remotely connect to your computer in order to monitor your computer screens and premises. Proctors will view you and your surroundings via webcam.
Them or other means by listening to you or monitoring your computer screen. You agree to maintain audio contact during the entire session.
ProctorU may record your entire session, and you acknowledge that ProctorU is not responsible for anything that appears on your webcam or desktop.
And you consent to all such monitoring until you take the, quote, affirmative action of disconnecting completely from all services, quote.
So it's your responsibility to disconnect from the services, and unless and until you disconnect from the services, they can continue to be monitoring and recording you.
So I was like, what the heck? This seems a bit bizarre. So I was looking around. Redditor Mr. C. Backs calls it blatantly malware, and he says he refuses it for his class.
He wrote a comment saying that he decompiled and deobfuscated the ProctorU software, and his findings.
Quote, it makes a foreign call to a server and downloads a rootkit for your specific OS. Oh, that's nice. Linux included. It requires you to run Chrome as root.
They literally pay people to sit there and stare at you through your webcam while you take the test. So any thoughts on that approach?
We have the Microsoft approach, a kind of secure browser session, and then you have this more outrageous—
Now, they boast that ProctorU provides secure and live automated online proctoring services for academics and professional organizations, similar to what you were talking about, Graham.
Let me show you how this works. It's remote proctoring.
What I mean is there's a person in a remote location sitting and monitoring the student and the surroundings as they do the exam.
Now, I was looking around online, found a number of little complaints about ProctorU, so I started— I thought, go to their terms and services.
That's where they actually have to tell you exactly what's going on. And I'll paraphrase a bit, lose the legalese, but in the show notes you can read them for yourself.
So ProctorU will remotely connect to your computer in order to monitor your computer screens and premises. Proctors will view you and your surroundings via webcam.
Them or other means by listening to you or monitoring your computer screen. You agree to maintain audio contact during the entire session.
ProctorU may record your entire session, and you acknowledge that ProctorU is not responsible for anything that appears on your webcam or desktop.
And you consent to all such monitoring until you take the, quote, affirmative action of disconnecting completely from all services, quote.
So it's your responsibility to disconnect from the services, and unless and until you disconnect from the services, they can continue to be monitoring and recording you.
So I was like, what the heck? This seems a bit bizarre. So I was looking around. Redditor Mr. C. Backs calls it blatantly malware, and he says he refuses it for his class.
He wrote a comment saying that he decompiled and deobfuscated the ProctorU software, and his findings.
Quote, it makes a foreign call to a server and downloads a rootkit for your specific OS. Oh, that's nice. Linux included. It requires you to run Chrome as root.
They literally pay people to sit there and stare at you through your webcam while you take the test. So any thoughts on that approach?
We have the Microsoft approach, a kind of secure browser session, and then you have this more outrageous—
It's basically the proctor that sort of asking for backdoor access to your computer isn't it?
As you've already insinuated, I didn't actually make it to a proper university in my life.
As you've already insinuated, I didn't actually make it to a proper university in my life.
We still love you a lot of the time.
I've never heard of this word proctoring before, and that has rather distracted me. But I've just looked it up. No, I don't know.
Is this a North Americanism, or is this just my ignorance?
Is this a North Americanism, or is this just my ignorance?
Well, okay, I have to defer to David for the UK, but I certainly have used it my whole life. So this is—
It's not something I've come across.
Maybe it's an American one then. Maybe it is.
So this is when you supervise or invigilate? Invigilate, exactly. It's like an invigilator. A test, because I must say, I had rather more grubby thoughts as to what it could be.
You have to remember this software has— I'm trying to bring you back on point. The problem is this is your daughter or son's computer, their own device, right?
And in order to take the exam, you need to install this software that is installing, you know, it's an EXE you're installing onto your system that has access to basically block services when the session is on.
And in order to take the exam, you need to install this software that is installing, you know, it's an EXE you're installing onto your system that has access to basically block services when the session is on.
From the security point of view, I mean, it just sends shivers down our spine, doesn't it? It sounds like a recipe for disaster.
It sounds like the kind of thing which is going to have some security hole or vulnerability or be exploited in some fashion.
And then it's the most vulnerable members of society, the young people, who ultimately are going to find themselves exposed or have their information stolen from them.
It sounds like the kind of thing which is going to have some security hole or vulnerability or be exploited in some fashion.
And then it's the most vulnerable members of society, the young people, who ultimately are going to find themselves exposed or have their information stolen from them.
And in the ProctorU terms, they also say, oh, and we will be collecting information about you and sharing it with third-party affiliates. Thank you. Oh, ransomware. So—
You know, it feels to me like this isn't a great solution.
I mean, ultimately, if people want to cheat, Carole, as you did with your eraser trick, they're going to cheat, aren't they?
Even if they have a locked-down computer, if they're doing it remotely from home or something, they could have another device right next to it, which is helping them answer the questions.
Maybe the solution is to look for unusual behavior.
I mean, ultimately, if people want to cheat, Carole, as you did with your eraser trick, they're going to cheat, aren't they?
Even if they have a locked-down computer, if they're doing it remotely from home or something, they could have another device right next to it, which is helping them answer the questions.
Maybe the solution is to look for unusual behavior.
Well, that's what these remote proctors are doing. They're watching your facial expressions. They're watching what's going on around you with people next to you in the game.
You know, and they're making a call and they're locking you out of the system if they feel that you are not abiding by their regulations.
You know, and they're making a call and they're locking you out of the system if they feel that you are not abiding by their regulations.
But what I'm thinking is, if you were monitoring in a less techie way the success of pupils during the course of the academic year, and you have some sort of projection as to how good they are at long division and all the rest of it, if they suddenly get a 100% score in an exam, then that may lead you to think, hang on a minute, they've done an awful lot better than we expected, and that maybe will cause deeper investigation as to what may have happened in that particular test.
Yeah, we had some scary, scary invigilators.
We had one that used to walk around slamming his cane into his hand as he walked around through the aisles, and it's just so you hear this thwack.
And so you did not cheat, you know, you could hear it getting closer and further. But another one would throw erasers. Yeah, so you see, you guys have it easy now, kids.
So easy these days.
We had one that used to walk around slamming his cane into his hand as he walked around through the aisles, and it's just so you hear this thwack.
And so you did not cheat, you know, you could hear it getting closer and further. But another one would throw erasers. Yeah, so you see, you guys have it easy now, kids.
So easy these days.
They weren't erasers with words carved into them.
The thing is, okay, I know this is controversial, I'd kind of say cheating may not be as bad as all that because it takes some advanced skill to be an excellent cheater, right?
I mean, obviously I'm pretty top drawer. And who knows, it turns out that outright cheaters can now become president of the United States. So, you know, I think why not?
I mean, obviously I'm pretty top drawer. And who knows, it turns out that outright cheaters can now become president of the United States. So, you know, I think why not?
Go for it, right? I'm not sure that's the kind of cheating he was doing, is it?
Oh yeah, I'm sure he got straight A's and earned every one. Hey, Graham. Hey, Carole. I have a question for you about these password manager things you keep talking about.
All right, go on then, shoot. What happens if you forget your master password? What are you gonna do about that?
All right, go on then, shoot. What happens if you forget your master password? What are you gonna do about that?
Oh, you think you're really clever, don't you? Yeah. You think if you've forgotten your master password, you can't access any of your other passwords anymore.
Well, piff-paff-poof, Carole, because if you're running LastPass Enterprise, you can integrate your password manager with Microsoft Active Directory.
And that means the same password that your employees are already comfortable with using to log into your system will unlock everything.
It will unlock their passwords, it will unlock their Word, Sophos Network makes it super easy to bring LastPass into your enterprise.
Well, piff-paff-poof, Carole, because if you're running LastPass Enterprise, you can integrate your password manager with Microsoft Active Directory.
And that means the same password that your employees are already comfortable with using to log into your system will unlock everything.
It will unlock their passwords, it will unlock their Word, Sophos Network makes it super easy to bring LastPass into your enterprise.
Seriously? And it's still super safe?
It's still super safe.
Wow! That's kind of cool.
It's a great way of getting new employees using passwords safer and more securely. Rock on LastPass, I say!
And Carole, if you, or indeed our listeners, want to try it for themselves, all they need to do is go to lastpass.com/smashingsecurity. And welcome back.
Can you join us at our favorite time of the show? The part of the show that we like to call Pick of the Week.
And Carole, if you, or indeed our listeners, want to try it for themselves, all they need to do is go to lastpass.com/smashingsecurity. And welcome back.
Can you join us at our favorite time of the show? The part of the show that we like to call Pick of the Week.
Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
It could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they like.
Doesn't have to be security related necessarily.
It could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they like.
Doesn't have to be security related necessarily.
Should not be. Should never be.
Well, my pick of the week this week is not security related.
Phew!
Do you remember a few weeks ago I told you about this website which told you about how to find good shows on Netflix and Amazon Prime?
Yes, I've used it actually.
It's a very, very good pick of the week. Well, thank you very much.
I've been trying it as well, and I found a documentary which came out a couple of years ago called Tower, and it's an unusual documentary.
I've been trying it as well, and I found a documentary which came out a couple of years ago called Tower, and it's an unusual documentary.
Oh, you told me about this.
Yeah, it's about the 1966... It's a bit of a grim subject, I'm sorry about that. It's about the 1966 shooting from the University of Texas's clock tower.
Now I love a good documentary and this is a superb documentary.
And what makes it unusual was that the filmmakers had a particular challenge because they were able to interview people who are still alive, obviously, but there wasn't very much footage of the actual event.
So how were they going to do this? And they could have dramatized it in a traditional kind of reconstruction sort of way, but they—
Now I love a good documentary and this is a superb documentary.
And what makes it unusual was that the filmmakers had a particular challenge because they were able to interview people who are still alive, obviously, but there wasn't very much footage of the actual event.
So how were they going to do this? And they could have dramatized it in a traditional kind of reconstruction sort of way, but they—
With really bad actors and bad lighting.
You know what the kind of, you know, sort of, yeah, Forensic Files style. But they didn't do that.
Instead, what they did was they filmed actors, but they then later animated them with rotoscoping. So much of the documentary— rotoscoping?
Yeah, that's when I think they did it in that Lord of the Rings cartoon movie, which came out in the late '70s or early '80s.
That may have been one of the first cases where they actually record you, so they know how you move and how you talk and all the rest of it.
But they sort of— they get their tracing paper out, Carole, and they sort of draw your outline, and you end up with something which is moving in a human kind of way, but it's actually an animation.
So that's what they did with this, and they have young actors who are reenacting what happened, and they're speaking straight to camera, but they're animated.
Animated, and they're saying the words of the interviewees who were obviously interviewed 50 years later for the movie.
And it gives a real immediacy to their memories because it's like they're talking about it when they were young, when it actually happened.
And there is a particularly moving part of the documentary which still sends chills down my spine thinking about it. You're watching— Oh, tell us!
Instead, what they did was they filmed actors, but they then later animated them with rotoscoping. So much of the documentary— rotoscoping?
Yeah, that's when I think they did it in that Lord of the Rings cartoon movie, which came out in the late '70s or early '80s.
That may have been one of the first cases where they actually record you, so they know how you move and how you talk and all the rest of it.
But they sort of— they get their tracing paper out, Carole, and they sort of draw your outline, and you end up with something which is moving in a human kind of way, but it's actually an animation.
So that's what they did with this, and they have young actors who are reenacting what happened, and they're speaking straight to camera, but they're animated.
Animated, and they're saying the words of the interviewees who were obviously interviewed 50 years later for the movie.
And it gives a real immediacy to their memories because it's like they're talking about it when they were young, when it actually happened.
And there is a particularly moving part of the documentary which still sends chills down my spine thinking about it. You're watching— Oh, tell us!
Oh, I want to! Are you going to tell us?
Yeah, I'm going to.
You're watching an animated young woman describing her experience, and suddenly the film cuts to a real-life filmed interview with the actual victim as she is today, 50 years older, continuing the sentence.
And you're suddenly sort of brought— it's given me chills right now. It just becomes so real.
You're watching an animated young woman describing her experience, and suddenly the film cuts to a real-life filmed interview with the actual victim as she is today, 50 years older, continuing the sentence.
And you're suddenly sort of brought— it's given me chills right now. It just becomes so real.
It's a hard thing to describe. It's more something you have to see.
It is something you have to see. And I don't think I've given away much by telling you that, but I would really recommend it. It is superbly done.
So it's called Tower, it's on Netflix, very interesting and very touching. So that wasn't very cheery, was it?
But that is, that was, I have to say, one of the best documentaries I've seen for a while, so I'd recommend it. David, what is your pick of the week?
So it's called Tower, it's on Netflix, very interesting and very touching. So that wasn't very cheery, was it?
But that is, that was, I have to say, one of the best documentaries I've seen for a while, so I'd recommend it. David, what is your pick of the week?
My pick of the week is definitely not security related. Good, David. It is an app.
Now, I don't know if it's only in our family, but it would appear as though my wife and I have often infuriatingly different perceptions of colour.
So, for example— yeah, okay, go with me here— so, for example, she might say something, "Darling, could you grab my blue coat from the hallway?" And I will get her distinctly blue coat from said hallway, and upon handing over said distinctly blue coat, I will get berated for picking up her obviously green coat.
Obviously green.
Now, I don't know if it's only in our family, but it would appear as though my wife and I have often infuriatingly different perceptions of colour.
So, for example— yeah, okay, go with me here— so, for example, she might say something, "Darling, could you grab my blue coat from the hallway?" And I will get her distinctly blue coat from said hallway, and upon handing over said distinctly blue coat, I will get berated for picking up her obviously green coat.
Obviously green.
That particular shade of green known as obviously green.
I was thinking because you've just moved house, right? So I was thinking that you would be having the fights over the paint colour.
Oh no, we have had that, yes. Curtains, actually.
And this was a particular conversation that we had in bed looking at the new curtains, and I was saying, oh, you know, that the curtains, they go nicely, the green on the curtain goes nicely with the green on the bedsheet.
And this was a particular conversation that we had in bed looking at the new curtains, and I was saying, oh, you know, that the curtains, they go nicely, the green on the curtain goes nicely with the green on the bedsheet.
It's not green, David! Were you there?
This is weird. So I swore blind that this color on our curtains was in fact green. Yes, okay, see what I did there? I swore that it was green. She said, no, it's not.
So I said, right, there has to be an app for this.
Now, what I would say is that I know that generations of genetics mean that men are more prone to color blindness, but I don't think that that's what it is, because I don't have this problem with anyone else, and it's just that we're dim, isn't it?
It's just that perhaps, perhaps that's it. So what I found was an app called Clone Live Color Picker, and it's a really simple app for iPhone.
I think it's on Android as well, and it's certainly helped to douse one or two arguments in our house already.
At its most basic, it uses your phone's camera or a picture that you've taken on your camera roll or something that you screen grab from a website or whatever, and it tells you the color that you point or tap to, and it'll give you that in RGB or CMYK, hex, hue, saturation, brightness, and it'll even tell you the closest official Pantone color.
That's what you want. Exactly.
So I said, right, there has to be an app for this.
Now, what I would say is that I know that generations of genetics mean that men are more prone to color blindness, but I don't think that that's what it is, because I don't have this problem with anyone else, and it's just that we're dim, isn't it?
It's just that perhaps, perhaps that's it. So what I found was an app called Clone Live Color Picker, and it's a really simple app for iPhone.
I think it's on Android as well, and it's certainly helped to douse one or two arguments in our house already.
At its most basic, it uses your phone's camera or a picture that you've taken on your camera roll or something that you screen grab from a website or whatever, and it tells you the color that you point or tap to, and it'll give you that in RGB or CMYK, hex, hue, saturation, brightness, and it'll even tell you the closest official Pantone color.
That's what you want. Exactly.
And you don't care. Yeah, you don't want to argue.
Yeah. And you want the words. Oh no. And some of the words are amazing as well.
You can change the color temperature if you're not sure your camera's quite got it right, and it'll even suggest some complementary colors that fit into the same palette.
And it's got a colorblind mode, so it just highlights the basic color, so it'll tell you if it's red, green, or blue in the live view mode. Yeah, it's really, really good.
It's also really well designed, as you would expect an arty app to be, and believe it or not, it's actually quite addictive.
You know, once you start pointing it at things around your house and you see some of the weird and wonderful color names that these things have, like Blaze and Epic and Swirl.
You're like, what?
You can change the color temperature if you're not sure your camera's quite got it right, and it'll even suggest some complementary colors that fit into the same palette.
And it's got a colorblind mode, so it just highlights the basic color, so it'll tell you if it's red, green, or blue in the live view mode. Yeah, it's really, really good.
It's also really well designed, as you would expect an arty app to be, and believe it or not, it's actually quite addictive.
You know, once you start pointing it at things around your house and you see some of the weird and wonderful color names that these things have, like Blaze and Epic and Swirl.
You're like, what?
So, okay, do you have the phone with you now? Do you have this app right now near you?
I do indeed.
Let me open it up. Could you—I'm trying to think of something. So could you do the back of your hand? Oh, I just want to see.
Yeah, let's see. Okay, I'm doing this right now. Whatever. Yeah, okay, I'm getting, depending on which bit of my hand I'm looking at, I'm getting Santa Fe spicy, spicy mix.
And oh, this one's a little bit less salubrious: wax flower.
And oh, this one's a little bit less salubrious: wax flower.
That's, that's what I've always thought.
David, David, I've got a good one for you to try out. Do you remember The Dress from a few years ago?
Oh yes, of course.
The black—it was a dress and people were arguing as to whether it was black and blue stripes or white and gold stripes.
So if you go and check out, we can settle this argument right now. Okay, is it black and blue or white and gold?
So if you go and check out, we can settle this argument right now. Okay, is it black and blue or white and gold?
I'm going in right now. So here's the original dress that I'm looking at on Wikipedia, and I'm pointing my phone at it now, and drum roll. Oh gosh, it changes. So rock—What? Rock.
I'm getting rock blue. And then I move down here and I get light slate grey. So rock blue and light slate grey are the two kind of main colors on that dress.
I'm getting rock blue. And then I move down here and I get light slate grey. So rock blue and light slate grey are the two kind of main colors on that dress.
But there's no white or goldish sort of color there. Maybe we've—
Anyway, do you know what? It's a really good, interesting sort of browsing color app. It's not going to change your life unless you have lots of arguments with your wife.
And I should say—
And I should say—
It will change my life, trust me. This is quite useful.
The Pantone color for my wife's coat definitely reads a shade of blue, but apparently me and the app are both still wrong.
Boom! Was the app written by a man? You see, that's what you have to ask yourself. Was it a man who can't really tell colours at all?
I can't remember. Was Pantone sorted out by the colour, by men who may have colour blindness? I don't know.
So, Carole, what's your pick of the week? Well, okay, controversial.
I'm breaking a few rules here. Security related. This is a gizmo. No, it's not security related. It is a gizmo, one that I do not own or haven't even played with. Controversial.
So you're recommending something that you have no experience of?
I'm strongly incentivised to learn more about it. And I think it's worth recommending to you at this stage, darling listener and hosts, that you do the same.
Okay, so hold your breath and you let me know at the end. So this is an innovative startup company called Altered. These guys make taps or faucets.
My grandmother always used to hate that word faucet, and I hate it too. I don't have no idea why.
Now Altered, they make taps and they call them Nozzle, and it's a patented technique to develop affordable water-saving for people. It reduces water use by over 90%. 9-0.
How do they do this? Well, I'm quoting founder Kaj Mikosch, who explained to Nordic Business Insider, an ordinary tap loses 10 to 12 litres of water per running minute.
Okay, that's a lot of water. Only a small part of that touches your hands or rinses off the plate.
Now he says, my idea was to atomise the water so that every drop gets its own surface. At the same time, increased speed, you get a bigger effect out of every single drop.
Pretty cool, right? So this saves an average— you did a few tests in the States, right? Saves an average of 50,000 litres of water a year per household. That's a serious saving.
Okay, so hold your breath and you let me know at the end. So this is an innovative startup company called Altered. These guys make taps or faucets.
My grandmother always used to hate that word faucet, and I hate it too. I don't have no idea why.
Now Altered, they make taps and they call them Nozzle, and it's a patented technique to develop affordable water-saving for people. It reduces water use by over 90%. 9-0.
How do they do this? Well, I'm quoting founder Kaj Mikosch, who explained to Nordic Business Insider, an ordinary tap loses 10 to 12 litres of water per running minute.
Okay, that's a lot of water. Only a small part of that touches your hands or rinses off the plate.
Now he says, my idea was to atomise the water so that every drop gets its own surface. At the same time, increased speed, you get a bigger effect out of every single drop.
Pretty cool, right? So this saves an average— you did a few tests in the States, right? Saves an average of 50,000 litres of water a year per household. That's a serious saving.
Yeah, but, and I get that if you're washing your hands or doing something like that. But what if I just want a glass of water?
Yeah, my wife drinks a lot of tea every day. How's this going to help fill in the kettle?
Is it not? This is not— this is the kind of nozzle that fits over your tap, right? And it's cheap. You can get it for around €30 or maybe $50.
And companies like IKEA have adopted the tech to create their own tap offering using the same technology. So it's worth a gander, don't you think, boys?
90% of water is going to water one? I've looked into it, yeah, because I've done research for this episode and I am getting one. So I'll let you know in a few weeks how I—
And companies like IKEA have adopted the tech to create their own tap offering using the same technology. So it's worth a gander, don't you think, boys?
90% of water is going to water one? I've looked into it, yeah, because I've done research for this episode and I am getting one. So I'll let you know in a few weeks how I—
Are you on some kind of commission or something? What's the—
No, no, I haven't even talked to them. Never talked to anyone at the company before.
Okay, so it's gonna create some sort of spray, so it's droplets rather than—
Oh, why don't— Here, should I send you a video?
Is that what I need to do? Send me a video. There you go. Okay, let's check it out.
Ah, they've got— they do have a dual flow option here as well, I see. Okay, so this fixes my filling a glass of water or a saucepan problem. You just twist it around.
Give it a little twiddle.
Yep. Give a twiddle.
Yes, it's like a— It's kind of cool. It's a spray when you're washing your hands and then you—
Atomisation. Very cool, Cruel. I think a nice saving of over 90% of water would be a good thing for all of us to think about. So there you go. Save money, be responsible.
Boom. Well, that just about wraps it up for this week's episode of Smashing Security. David, thank you for joining us.
If people want to follow you online or find out what you're up to, what is the best way to do that?
If people want to follow you online or find out what you're up to, what is the best way to do that?
Well, probably on Twitter.
I can't guarantee that I'm going to be online all that much, but @DavidMcClelland, all the C's, all the L's with a couple of vowels chucked in for good measure.
I can't guarantee that I'm going to be online all that much, but @DavidMcClelland, all the C's, all the L's with a couple of vowels chucked in for good measure.
And on Twitter you can follow us as well, @SmashInSecurity, no G. Twitter wouldn't allow us to have a G. We've got an online store. Remember our revamped store?
There's all kinds of goodies up there. And you can get t-shirts and mugs and stickers and goodies at smashingsecurity.com/store. And if you show, what should people do, Carole?
There's all kinds of goodies up there. And you can get t-shirts and mugs and stickers and goodies at smashingsecurity.com/store. And if you show, what should people do, Carole?
They should definitely give us a review, listen to old episodes, send us story ideas, give us 5 stars, the whole caboodle.
Until next time, cheerio, bye-bye, bye everybody.
Some takeaways:
- Browser extensions – even the ones that are supposed to be keeping you safe – have an enormous amount of power. If an extension goes rogue, everything you do in your browser is now compromised.
- In the past we’ve even seen the ownership of browser extensions change. It may be the case that you are now dealing with a completely different developer, and they may have malicious intentions.
- Always be wary when browser extensions ask for elevated permissions.
- Keeping the number of extensions you run in your browser to a minimum reduces your threat surface.
- And if you are an extension developer, you have enormous responsibility to secure your code and developer account so others cannot easily take advantage.
There needs to be some sort of repository for extensions and permissions or alerts in when ownership of an add-on changes for the exact reasons you mention. Or some kind of "certification" for open-source code verifying that the code is not doing anything malicious
It has always concerned me about what if Adblock, Adblock Plus and uBlock Origin were compromised. That would be a lot of browsers affected.
It's possible to avoid using browser extensions, but getting rid of the last one—the adblocker—is a problem because browsing without one is also an issue. Hosts files are too clunky. It was better when adblockers was build directly into the browser rather than extensions (such as 'Tracking Protection Lists' in Internet Explorer 9 onwards), and the user then just subscribed to the lists they wished to use (such as EasyList, etc.) or used their own lists.
Opera has built in adblocker with lists, also chrome has some sort of built in adblocker these days.