Some computer users are reporting that they have received a new type of extortion email in their inbox, which – in an attempt to scare them into giving in to demands for money – quotes part of their phone number.
For some time extortion emails have been sent to computer users, claiming that they have been secretly recorded while visiting pornographic websites in an attempt to blackmail them out of money.
Some of the extortion emails have even taken to including a user’s password in the email (albeit perhaps not related to an adult website they may have visited) in an attempt to shock the user into believing that their private use of a porn site might be exposed.
The latest incarnation of the emails, however, incorporates the four digits of a recipient’s phone number. And – get this – it often really is the correct phone number.
A typical email reads as follows (complete with the extortionist’s spelling mistakes and grammatical errors):
It seems that, +XX XXXXXX1234, is your phone. You may not know me and you are probably wondering why you are getting this e mail, right?
actually, I setup a malware on the adult vids (porno) web-site and guess what, you visited this site to have fun (you know what I mean). While you were watching videos, your internet browser started out functioning as a RDP (Remote Desktop) having a keylogger which gave me accessibility to your screen and web cam. after that, my software program obtained all of your contacts from your Messenger, FB, as well as email.
What did I do?
I backuped phone. All photo, video and contacts. I created a double-screen video. 1st part shows the video you were watching (you’ve got a good taste haha . . .), and 2nd part shows the recording of your web cam.
exactly what should you do?
Well, in my opinion, $1000 is a fair price for our little secret. You’ll make the payment by Bitcoin (if you do not know this, search “how to buy bitcoin” in Google).
BTC Address:
1GYNGZLEUGkkQjHo19dHDnGE87WsAiGLLB
(It is cAsE sensitive, so copy and paste it)
Important:
You have 48 hour in order to make the payment. (I‘ve a unique pixel in this e mail, and at this moment I know that you have read through this email message). If I do not get the BitCoins, I will certainly send out your video recording to all of your contacts including relatives, coworkers, and so on. Having said that, if I receive the payment, I’ll destroy the video immidiately. If you need evidence, reply with “Yes!” and I will certainly send out your video recording to your 6 contacts. It is a non- negotiable offer, that being said don’t waste my personal time and yours by responding to this message.
There are two obvious questions raised by the emails.
Why isn’t the extortionist including the whole phone number in the email?
After all, if the bad guys had it – wouldn’t they use it to get greater leverage over their intended victim? It’s not as though they give two figs about protecting a computer user’s privacy after all…
The only logical answer to this question is: the extortionist doesn’t have the whole phone number. They only have some of the digits.
So where did they get the partial phone numbers from?
I suspect the vast majority of people visiting porn websites don’t create accounts on the sites, and even if they did they would be wary of giving their real phone number. So the adult sites themselves seem unlikely to be the source of the information.
It’s possible the number is derived from a data breach where only four digits of a phone number is stored, and the extortionists have done a look-up to match numbers to email addresses… but why would a company only want to store some of your phone number?
Researcher Didier Stevens has a different theory.
He proposes that the numbers might be derived from the password reset mechanisms of popular websites.
Take a look at eBay, for instance.
Anyone can enter your email address on eBay, and (if you have an account on the site using that email address) it will tell them *some* of the digits of your phone number.
It’s a similar story with PayPal, and many other sites.
It should go without saying that I don’t recommend you pay the blackmailer if you receive one of these unpleasant emails. In all likelihood they are trying their luck, hoping they are able to scare just a small proportion of people into believing that they really do have video footage of a computer user as they visit a porn site.
If you are still worried that receiving such an email would scare the willies out of you, and you aren’t able to kick your porn-viewing habit, maybe now is a good time to invest in a webcam cover for both your desktop PC and your smartphone.
And while you’re at it keep your computer protected with up-to-date security software, ensure that your operating system and applications are fully patched, and consider running an ad blocker.
It may not stop you receiving a blackmail email, but it may give you a little more peace of mind.
For more discussion of this topic, be sure to check out this episode of the “Smashing Security” podcast:
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Obviously, I suppose our advice is don't pay. Obviously.
Yeah, just stand up and say, "I'm proud to watch porn." Surely that's the way to get around this.
I think standing up isn't always the best advice for someone who's been going to these sort of sites. Give them half an hour at least.
Smashing Security, Episode 91: Sextortion, Las Vegas Hotels, and Alex Jones. With Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 91.
My name is Graham Cluley.
Smashing Security, Episode 91: Sextortion, Las Vegas Hotels, and Alex Jones. With Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 91.
My name is Graham Cluley.
I'm Carole Theriault.
And Carole, we are joined by the returning Maria Varmazis. Hello, Maria. Hello.
The wonderful, wonderful Maria.
Maria, I can't do that.
Happy summer, Maria. Is it going well? August?
Yeah, I'm glad it's almost over. I'm not a summer person.
Oh, really? Graham isn't either. I love it.
Oh, it's been sweltering hot and slammy and—
Okay, we've just done what we said we'd never do. We've opened the podcast talking about the weather.
Let me say to everyone who's listening then, instead of talking about the weather, let's thank them for nominating us in the Podcast Awards.
The Podcast Awards.
Yes, the Podcast Awards.
We have been nominated for Best Technology Podcast.
We have, and there's some other great podcasts in there as well, so it's going to be a tough battle. But in the coming weeks, I believe they will be announcing who has won.
I think we need to go in with the thought that we are the best. We're number one.
Obviously.
Right?
Is that how you think, crew?
Yeah.
You go in high and then you—
Well, I go in the way I plan to leave, right? With the award. No, I'm just, my fingers and toes are crossed. It would be so exciting.
It would be so exciting. It would be exciting, but it's actually pretty cool to be nominated.
Anyway, but thank you because it was a vote from our listeners. So all of you guys that went through the painful process of voting for us, high five.
Absolutely. You voted for us, didn't you, Maria?
Oh, absolutely. Pain in the ass to do it.
It was, wasn't it?
You're very welcome.
Thank you very much.
My bots were totally, I mean, no, no, no, no, I didn't, didn't use bots.
MetaCompliance, the security e-learning experts, make learning best practice engaging and fun through stories, realistic scenarios.
The MetaCompliance guys provide animated e-learning and even games like phishing drills to test your knowledge.
Plus, these guys get passwords, they get GDPR, they get security, and they've won awards for security awareness.
Smashing Security listeners, you guys can get 10% off by visiting smashingsecurity.com/metacompliance and entering the code SMASHING. That's smashingsecurity.com/metacompliance.
Hi, Graham.
The MetaCompliance guys provide animated e-learning and even games like phishing drills to test your knowledge.
Plus, these guys get passwords, they get GDPR, they get security, and they've won awards for security awareness.
Smashing Security listeners, you guys can get 10% off by visiting smashingsecurity.com/metacompliance and entering the code SMASHING. That's smashingsecurity.com/metacompliance.
Hi, Graham.
Hey, Carole Theriault.
I have a question for you.
Okay.
Do you have a password manager?
Yes, of course I've got a password manager.
Do you?
Yes, I do.
And do you honestly, honestly think that all companies should have a password manager?
Oh, absolutely.
I totally agree.
If you don't have one of those, your employees are going to make some terrible password decisions and hackers may be able to break in.
And an enterprise-grade solution like the one from LastPass, for instance, will have support for Microsoft Active Directory and funky functions like that to make it even easier to secure your business.
And an enterprise-grade solution like the one from LastPass, for instance, will have support for Microsoft Active Directory and funky functions like that to make it even easier to secure your business.
Okay, I think you've passed my test. Listeners can check out LastPass enterprise for themselves by visiting lastpass.com/smashingsecurity.
Now, chaps, chappesses, there is a fair bit of sextortion going on at the moment, and this particular flavor of sextortion arrives in your inbox in the form of an email.
Sorry, can you just tell me what sextortion is again? Just describe it.
It's extortion but with a rather tabloidy S in front of it to suggest there's sexual content. And these emails claim that you have been visiting a pornographic website.
And not so very long ago— No, exactly, of course not. But not so very long ago, these emails were arriving and they were even including users' passwords.
And not so very long ago— No, exactly, of course not. But not so very long ago, these emails were arriving and they were even including users' passwords.
What do you mean?
Well, so you would get an email saying, hey, we know you've been going to naughty websites, and to prove it, do you recognize this password? And you kind of go, oh, crumbs.
Hunter 2.
Yes. Hamster jelly or whatever it is, the password that you use everywhere.
And you think, crikes, not only do they email me and I do sometimes go to rude websites, but they also know my password.
And you think, crikes, not only do they email me and I do sometimes go to rude websites, but they also know my password.
Do you?
Do you go to rude websites?
Ironically, I'm ignoring that. Ironically, these passwords quite often weren't actually for the websites because of course, who creates an account on a porn website? Why would you?
Right? That'd just be crazy.
Right? That'd just be crazy.
Oh, what?
Crazy talk. Yeah, why would you do that?
Why would you do that? I mean, it's not like you need to, right?
I would love to hear from people who do that.
I don't understand. Don't you have to register though and pay money and therefore you have a username?
1994? No.
I don't go to porn sites. I really, I know nothing. I'm really out of my depth.
Just go to the internet, Carole. You don't have to go to porn sites. Everywhere there's nudity and bondage.
Oh, what? You just type in boobs or something and that's it.
Yes, exactly.
Okay.
And apparently now you're also 6 years old. How do the sex happen? Doink!
I can't imagine why anyone would ever create an account on these sites, but presumably some people do.
Good to know though.
But people are receiving these emails even if they haven't created accounts, right? And the newest trick is that the emails say, do you recognize this phone number?
It's yours, isn't it? And what they do is they're including maybe the last 4 digits of the recipient's phone number.
It's yours, isn't it? And what they do is they're including maybe the last 4 digits of the recipient's phone number.
So basically they are sharing information with the victim that belongs to the victim, like a phone number or parts of a password that they've gotten through any number of breaches.
And they're saying, we've got you, we've got you, we can expose you unless you do X.
And they're saying, we've got you, we've got you, we can expose you unless you do X.
Because we've taken over your computer, we've gone through your Facebook friends list and your messenger list.
So we've taken over your webcam, we've recorded what video you were looking at, and then sort of maybe 25 seconds into the video, we started recording you through your webcam as well.
So we've taken over your webcam, we've recorded what video you were looking at, and then sort of maybe 25 seconds into the video, we started recording you through your webcam as well.
Ah, nobody wants to see that, right?
So you just don't— you don't just see someone eating popcorn, whatever, I guess, on these sites.
So they're saying unless you pay up, you know, $1,000 or whatever via bitcoin, you are going to have all this information exposed to your nearest and dearest.
And won't that be embarrassing?
And because these latest emails include some numbers from your phone number, maybe the last 4 digits or a couple of others, that makes you think, crikey, they must be onto me.
And won't that be embarrassing?
And because these latest emails include some numbers from your phone number, maybe the last 4 digits or a couple of others, that makes you think, crikey, they must be onto me.
Yeah, but the joke's on them because people put this stuff willingly on the internet for free anyway through like Chatroulette and stuff. So if that even still exists.
So they're going to just get emails and go, people are going to go, Yeah, do your worst, buddy. It's already out there.
So they're going to just get emails and go, people are going to go, Yeah, do your worst, buddy. It's already out there.
Do your worst. I remember what I did in 2012. Yeah, up on Chatroulette with my electric piano, my bassoon.
You know what? I did Chatroulette maybe two years ago for the first time.
Did you?
And it was very weird. And I saw someone's junk and I stopped.
You stopped what?
Well, I just closed the webpage and decided I wasn't— Chatroulette wasn't right for— Oh.
Oh, I see.
Good night, everybody.
So, so I've got two obvious questions. Now, I think what I'll do is I'll include a link in the show notes so you can actually see the emails and what they're saying.
But in the example I'm sharing, the blackmailer has only listed the last 4 digits of the phone number.
So my first question is, why isn't the extortionist including the whole phone number in their email? Because if the bad guys really had it, wouldn't they use it?
Wouldn't they make it clear to you, we've got your entire phone number and we know your Auntie Jean's mobile number as well?
But in the example I'm sharing, the blackmailer has only listed the last 4 digits of the phone number.
So my first question is, why isn't the extortionist including the whole phone number in their email? Because if the bad guys really had it, wouldn't they use it?
Wouldn't they make it clear to you, we've got your entire phone number and we know your Auntie Jean's mobile number as well?
Yeah, but they're obscuring it for your safety.
Well, because they care about privacy. Exactly.
We care about you, customer, and your privacy.
Oh, that would be wonderful. But of course, they don't give two figs about that, do they? The only logical answer is that they don't really have your whole phone number.
They've only got some of the digits. So my next question is, so where did they get those partial phone numbers from? Is it that there's been a data breach?
They've only got some of the digits. So my next question is, so where did they get those partial phone numbers from? Is it that there's been a data breach?
Yeah, that was my assumption. That was my assumption.
Wait, you're telling me there was a data breach and this information was on there?
Well, okay, nobody told me. Couple of things. First of all, we've already agreed that many people won't actually have created accounts on the porn sites, right?
But even then, why would any company only store some of the digits of your phone number?
Maybe some of the digits of your credit card number, maybe, but some of the digits of your phone number doesn't really make sense.
So researcher Didier— Oh, you got a theory, Carole?
But even then, why would any company only store some of the digits of your phone number?
Maybe some of the digits of your credit card number, maybe, but some of the digits of your phone number doesn't really make sense.
So researcher Didier— Oh, you got a theory, Carole?
I don't know. I'm just thinking it's identifiable information.
I understand it's in a gray area, but if someone said, hey, you know, we salt your phone number, I'd be kind of like, oh, that's cool.
I understand it's in a gray area, but if someone said, hey, you know, we salt your phone number, I'd be kind of like, oh, that's cool.
Well, it's possible, maybe, but it just seems a little peculiar to me.
All right.
Okay, let's go on.
Researcher Didier Stevens, he has a different theory as to where these numbers may be coming from.
He proposes that the numbers might be being derived from the password reset mechanisms of popular websites.
So I, for instance, went to eBay and I have an account on eBay and I pretended I'd forgotten my password.
He proposes that the numbers might be being derived from the password reset mechanisms of popular websites.
So I, for instance, went to eBay and I have an account on eBay and I pretended I'd forgotten my password.
Are we doing a little bit of original reporting here? This is fun.
All right. And it said, we'll text you on— right, which is my mobile phone number. And it obscured all but a few of the digits. And then I tried it on PayPal.
And it gave me the last four digits of my phone number there as well. And I think there are probably plenty of websites which will give away some of your phone number.
And it gave me the last four digits of my phone number there as well. And I think there are probably plenty of websites which will give away some of your phone number.
Yeah, I think that happens actually quite often just to verify that that's the phone number that you've provided them to make credit cards. Right, of course. So that's where—
Yep, yep, absolutely.
And because they're gonna SMS you or something, you know, you want to check the right phone and think, oh gosh, I have to look at that one to get this PIN code.
Now I don't go through the process and the extortionist doesn't go through that process either, but they've now got some of the digits of your phone number, which they can then put into an email to make it seem more convincing.
Now I don't go through the process and the extortionist doesn't go through that process either, but they've now got some of the digits of your phone number, which they can then put into an email to make it seem more convincing.
So how did they get my, how did they get the four digits, you're reckoning?
I think what they were doing was they have an email address from somewhere, right? Could be from a breach or something.
Oh, and they type it in.
They type it in or have a little bot which puts it in.
Yeah, I don't think they're doing it one by one.
Yeah, and then they extract the digits of your mobile number.
Write them down in pencil.
Then they fax it to themselves. Get some chalk.
Run to the mimeograph.
Yeah, sharpen the pencil. So obviously, I suppose our advice is don't pay, you know, obviously.
Yeah, just stand up and say, I'm proud to watch porn. Surely that's the way to get around this.
I think standing up isn't always the best advice to someone who's been going to these sort of sites. Give them half an hour at least.
So basically it's taking advantage of their embarrassment, right?
Well, no, it's terrifying to think that, you know, you might have—
Your private time has been—
So, obviously don't pay. Protect your computer with up-to-date security software. You expected me to say that. Patch all your operating system.
Run an ad blocker because sometimes popular porn websites have been compromised by malvertising, for instance, malicious adverts.
But also, you know, invest in a webcam cover for both your desktop PC and maybe your smartphone as well.
Run an ad blocker because sometimes popular porn websites have been compromised by malvertising, for instance, malicious adverts.
But also, you know, invest in a webcam cover for both your desktop PC and maybe your smartphone as well.
Or just a Band-Aid. A Band-Aid works.
Yeah.
I literally just put a Post-it note over it.
Now tell me, Graham, do you think anyone should reply saying, well, since you seem to have my last four digits, why don't you give me all my digits if you're so close?
That's a good idea, Carole. Really goad the blackmailer and extortionist.
Poke the monkey.
No, I don't think it is a good idea. I just want you to say it isn't.
Oh, okay. Then I think we're agreed. Yeah, so that's not such a good idea. But you know, be safe online, kids.
And yes, if you've got anything you need to cover up, cover it up with a Post-it note or a webcam cover or a tea cup.
And yes, if you've got anything you need to cover up, cover it up with a Post-it note or a webcam cover or a tea cup.
Hide your shame.
Whatever fits.
No one wants to see that.
Thank you very much. Lovely. Anyway, I hope that's helped somebody.
Yeah.
Not safe for work. Okay.
Now, Maria.
Yes.
Please raise the tone.
No. Oh, okay, sure. Well, I feel privileged to be on the podcast the week after arguably one of the biggest and busiest weeks for security practitioners.
DEF CON.
Yes.
Last week was hacker summer camp where thousands of people who this stuff, maybe are listening, go to Las Vegas and get blitzed out of their brains or just go to a lot of talks or some combination of the two.
Networking, seeing old friends, picking some locks, soldering some PCBs, whatever. Having a parlay, all these talking like pirates apparently. All these things are happening.
And it's been several years since I've been, but I worked those events, so it wasn't super fun for me.
But anywho, the biggest, there's always the press blitz of what's the big story gonna be out of DEF CON this year?
And years ago, I think you might remember the whole hacking of a Jeep thing, and there was a whole hullabaloo about that.
I think there's two stories in contention for the big stories out of DEF CON this year, but the one that I'm gonna vote for is actually, a story about DEF CON itself, and it's kind of inside baseball a little bit.
So let me set the story. Basically, I'm sure you remember last year in October in Las Vegas, there was a horrific massacre. How can you forget?
And since that terrible massacre happened last year, a lot of United States hotels have implemented new security policies.
And the big question is, are these policies security theater or are they justified?
And this question came up because basically all the DEF CON attendees came face to face with it last week.
So the do not disturb sign for the Caesars hotels, and DEF CON was at Caesars Palace this year, has a little tiny little fine print on the bottom.
And it says, say if you put the do not disturb sign on your door, right?
Even if you refuse housekeeping, quote, staff reserve the right to enter this room daily, even if the sign is displayed on your door, for maintenance, safety, security, or any other purpose.
Networking, seeing old friends, picking some locks, soldering some PCBs, whatever. Having a parlay, all these talking like pirates apparently. All these things are happening.
And it's been several years since I've been, but I worked those events, so it wasn't super fun for me.
But anywho, the biggest, there's always the press blitz of what's the big story gonna be out of DEF CON this year?
And years ago, I think you might remember the whole hacking of a Jeep thing, and there was a whole hullabaloo about that.
I think there's two stories in contention for the big stories out of DEF CON this year, but the one that I'm gonna vote for is actually, a story about DEF CON itself, and it's kind of inside baseball a little bit.
So let me set the story. Basically, I'm sure you remember last year in October in Las Vegas, there was a horrific massacre. How can you forget?
And since that terrible massacre happened last year, a lot of United States hotels have implemented new security policies.
And the big question is, are these policies security theater or are they justified?
And this question came up because basically all the DEF CON attendees came face to face with it last week.
So the do not disturb sign for the Caesars hotels, and DEF CON was at Caesars Palace this year, has a little tiny little fine print on the bottom.
And it says, say if you put the do not disturb sign on your door, right?
Even if you refuse housekeeping, quote, staff reserve the right to enter this room daily, even if the sign is displayed on your door, for maintenance, safety, security, or any other purpose.
So basically, this sign's basically saying they can go in once a day for whatever reason you want.
Yeah, it's basically carte blanche. You can tell us you don't want us to come in your room, but we're gonna do it anyway for literally any reason. So they don't need to justify it.
And the note also goes on to say, hotel staff will knock and announce their presence before entering.
And the note also goes on to say, hotel staff will knock and announce their presence before entering.
I always assumed that they would be able to do that, actually.
And that's a very good point, so hang on to that, 'cause I think that's the big— Okay, that's a really, really important point.
Okay, so we have that notification in theory from the hotel, but several attendees, and this is not just a scant few, this is a decent amount of people, including many solo female travelers, said their room was barged into while they were either bathing or changing without any warning.
So it wasn't just somebody knocking on the door. It's like they are, it's like somebody's just in their room and they had no idea.
In other cases, many attendees recounted instances of men banging at their door demanding to be let in right at that very moment, purporting to be from hotel security.
And then the supposed hotel security would not provide the attendee any way to verify that those men actually are who they said they are.
Okay, so we have that notification in theory from the hotel, but several attendees, and this is not just a scant few, this is a decent amount of people, including many solo female travelers, said their room was barged into while they were either bathing or changing without any warning.
So it wasn't just somebody knocking on the door. It's like they are, it's like somebody's just in their room and they had no idea.
In other cases, many attendees recounted instances of men banging at their door demanding to be let in right at that very moment, purporting to be from hotel security.
And then the supposed hotel security would not provide the attendee any way to verify that those men actually are who they said they are.
See, that's terrible, isn't it?
Yeah.
Yes!
I mean, if the gas man comes round to my house, he'll have a little ID card, and I have an option if I want of ringing up British Gas and saying, can you confirm this is genuinely a gas engineer?
Does he have a moustache?
That's how you know.
That's how you know over here. Whereas if it's a security team at a hotel, you know, who are coming into your room and you're the only one there, that would feel rather threatening.
Yeah, you've got two men at your door and you're fresh out of the shower and these men are saying, we need to be let in right now.
Barging in while I'm changing.
Well, even if they haven't barged in, they're banging on your door going, you need to let us in right now for security reasons.
And you're going, I don't know you are who you say you are. You can show me a badge, but that's super easy to fake.
And you're going, I don't know you are who you say you are. You can show me a badge, but that's super easy to fake.
This is a PR nightmare for the hotel.
So one person who experienced this exact issue was Luda Security CEO Katie Mazuris, and she tweeted about this basically saying this is her last DEF CON unless this changes because basically no keys needed to access the floors via the elevator.
The card she was shown had the photo rubbed off.
She says it was only shown after I had been screamed at and the door pounded on, which was after I had politely asked to verify their IDs by calling downstairs.
I was trying to follow a reasonable authentication process. In fact, I was walking the supervisor on the phone through it as he talked over me about the necessity of the search.
I wasn't arguing about my privacy. I was protecting my life and my body from assault. He missed the point. And that is a huge, huge point right there.
So far, the response from the Vegas hotels have basically been, hey, read the terms of service, guys.
It's a new policy since the awful massacre last year, and as we all know probably, the shooter had a huge arsenal of guns in his room.
So we need to be able to verify that you're not hoarding all these guns in your room.
The card she was shown had the photo rubbed off.
She says it was only shown after I had been screamed at and the door pounded on, which was after I had politely asked to verify their IDs by calling downstairs.
I was trying to follow a reasonable authentication process. In fact, I was walking the supervisor on the phone through it as he talked over me about the necessity of the search.
I wasn't arguing about my privacy. I was protecting my life and my body from assault. He missed the point. And that is a huge, huge point right there.
So far, the response from the Vegas hotels have basically been, hey, read the terms of service, guys.
It's a new policy since the awful massacre last year, and as we all know probably, the shooter had a huge arsenal of guns in his room.
So we need to be able to verify that you're not hoarding all these guns in your room.
And as I remember, the shooter in that instance had spent a couple of days sort of setting up this array of weaponry.
Right, undisturbed, yeah.
And obviously he must have had the do not disturb sign on or whatever and wasn't answering room service.
So I can understand from the hotel's point of view that they want to be really careful about this, maybe for insurance purposes if nothing else.
So I can understand from the hotel's point of view that they want to be really careful about this, maybe for insurance purposes if nothing else.
Likely for all of that, yeah.
To make sure that there's nothing untoward going on, but at the same time, they've got to have a method by which the residents can feel comfortable that they have a legitimate reason to come in.
Okay, playing devil's advocate, I can kind of understand why they'd be a bit twitchy.
Who, the hotel or the attendee?
The hotel.
You know, there was a big massacre that happened and they're going to be held responsible or they're going to feel responsible for ensuring the safety of everyone, and they're probably going about it like a pendulum.
They've gone too far.
You know, there was a big massacre that happened and they're going to be held responsible or they're going to feel responsible for ensuring the safety of everyone, and they're probably going about it like a pendulum.
They've gone too far.
You're saying you're on our private property and we should be able to do whatever it takes to secure our property.
Yeah, which is obviously hooey, and they should just calm it down a bit because that is very scary.
There's no way I'd want to go to stay in a hotel if that was a risk, someone pounding.
There's no way I'd want to go to stay in a hotel if that was a risk, someone pounding.
But they also have a duty of care to look after their residents.
Yes, absolutely, I understand.
They need to build a mechanism by which they can confirm that they are really called housekeeping.
Well, do you want to hear a further wrinkle to the story? Because it actually gets even a little more complicated from here.
So the hotel says, yeah, you should not have any expectation of privacy. And a lot of people in response to all these incidents have been saying that as well.
And I think we mentioned that earlier, that you know, you're in a hotel, don't expect any— you know, people are going to be there.
But the hotel also said, we're only going to do a quick visual check, just a quick glance around your room. We're not touching your stuff.
Except this is DEF CON, so you got a lot of people who are really paranoid and they set up hidden cameras in their hotel rooms because they want to see if someone's actually monkeying with their shit.
So the hotel says, yeah, you should not have any expectation of privacy. And a lot of people in response to all these incidents have been saying that as well.
And I think we mentioned that earlier, that you know, you're in a hotel, don't expect any— you know, people are going to be there.
But the hotel also said, we're only going to do a quick visual check, just a quick glance around your room. We're not touching your stuff.
Except this is DEF CON, so you got a lot of people who are really paranoid and they set up hidden cameras in their hotel rooms because they want to see if someone's actually monkeying with their shit.
Ho ho ho ho.
So I can't verify this.
So this is hearsay, but several journalists who are actually actively researching the story right now say they've been sent video from DEF CON attendees of hotel security rummaging through their stuff, taking photos of guest personal effects and overhearing the security guys threatening to put videos of what they found on Snapchat, that kind of thing.
So it's—
So this is hearsay, but several journalists who are actually actively researching the story right now say they've been sent video from DEF CON attendees of hotel security rummaging through their stuff, taking photos of guest personal effects and overhearing the security guys threatening to put videos of what they found on Snapchat, that kind of thing.
So it's—
Oh my gosh.
And other attendees have said that their belongings have been confiscated, some of which are technically illegal or frowned upon in Nevada law.
But things like soldering irons and lockpick sets, which are kind of de rigueur at DEF CON.
But things like soldering irons and lockpick sets, which are kind of de rigueur at DEF CON.
Sounds like forgetting your sunglasses.
Exactly. One does not go to DEF CON without one's lockpick set. It's true. But I mean, frankly, I always brought one with me every time I've gone.
It's kind of the thing you do because I like lockpicking. Sorry, lock sport. It's not illegal if you call it lock sport. But yeah, people are saying their stuff's been confiscated.
So it gets really— so one can understand the hotel's point of view here. But flip side, the guests were going, this is a new policy.
We were really caught by surprise and saying, yeah, the terms of service is there in this tiny print at the bottom of the do not disturb sign is really not enough warning.
And the irony of security pros complaining about no one reading the terms of service is not lost on anyone here.
It's kind of the thing you do because I like lockpicking. Sorry, lock sport. It's not illegal if you call it lock sport. But yeah, people are saying their stuff's been confiscated.
So it gets really— so one can understand the hotel's point of view here. But flip side, the guests were going, this is a new policy.
We were really caught by surprise and saying, yeah, the terms of service is there in this tiny print at the bottom of the do not disturb sign is really not enough warning.
And the irony of security pros complaining about no one reading the terms of service is not lost on anyone here.
Surely in your manual for your room, they would have a lengthy explanation as to how this will occur. You know what?
I don't—
Maybe it doesn't have to say what time of day, but what the procedure is.
Yeah, you know, there will be a knock on your door, the person will identify themselves and explain what they're doing.
Yeah, you know, there will be a knock on your door, the person will identify themselves and explain what they're doing.
The number you can call to verify. Exactly. Yeah, if you would, because we tell people to do that all the time if a financial institution purportedly is calling you.
Saying, hey, we've got this fraud alert on your credit card, we tell them, actually, I want to call you back.
You know, why would we not have that protocol in place for something as scary as people physically coming into your space when you're by yourself?
Saying, hey, we've got this fraud alert on your credit card, we tell them, actually, I want to call you back.
You know, why would we not have that protocol in place for something as scary as people physically coming into your space when you're by yourself?
Surely after all this hoo-ha, Caesars and other hotels will take a moment to think about, could we have handled this better?
Have they not responded yet?
My understanding is the story is still unfolding. So I think the response from Caesars has basically been, this is our policy.
We disclosed it to people, and frankly, this is now the new policy at almost all American hotels at this point.
We disclosed it to people, and frankly, this is now the new policy at almost all American hotels at this point.
There's going to be a U-turn when they find out about the videos.
Did you hear about the other thing which happened at Caesars during these conferences as well? No.
Matt Linton, who is a Google security researcher, he's one of the guys who found the Spectre security hole in CPUs.
He tweeted while he was there about some really good attacks in Vegas.
Matt Linton, who is a Google security researcher, he's one of the guys who found the Spectre security hole in CPUs.
He tweeted while he was there about some really good attacks in Vegas.
And what do you mean?
Well, he meant, of course, software vulnerabilities and exploits and things like this.
And apparently the Las Vegas police saw this, were rather nervous about his language, and of course assumed the worst and came and had a chat with him.
And apparently they understood, you know, once they'd had the chat, they said, okay, we get it, we now know you're talking about software attacks in relation to the conference.
However, and they went away fine and apparently were very polite. However, Caesars threw this researcher out of the hotel at midnight and told him he wasn't welcome anymore.
And apparently the Las Vegas police saw this, were rather nervous about his language, and of course assumed the worst and came and had a chat with him.
And apparently they understood, you know, once they'd had the chat, they said, okay, we get it, we now know you're talking about software attacks in relation to the conference.
However, and they went away fine and apparently were very polite. However, Caesars threw this researcher out of the hotel at midnight and told him he wasn't welcome anymore.
Yep. I think he got permabanned, didn't he? He's not welcome at all ever.
That's right. So he was just thrown out onto the strip and survive for yourself, buddy.
And because there's clearly just a zero tolerance to anything like this because they're all being so paranoid. So I think a little bit more sensitivity and care is needed.
And because there's clearly just a zero tolerance to anything like this because they're all being so paranoid. So I think a little bit more sensitivity and care is needed.
Has DEF CON, any spokesperson from DEF CON said anything about this?
Oh yeah, the head of security actually offered his resignation over this issue.
Yeah, ooh.
Everyone's basically rejecting his resignation, 'cause I don't think this was his fault. And he said this, what happened was not the policy that he was told by Caesars.
Oh, I'm sure, I'm sure, yeah.
He has offered his resignation. As of right now, I don't think he has been accepted. So this story is still unfolding. We'll see what the fallout is.
To me, one of the biggest things is there's a growing call from a number of attendees saying that they're not returning to DEF CON at all, ever, or to even Las Vegas at all, ever, because of these policies.
And I'm not surprised. They're saying it's overly intrusive security theater and just straight up not friendly to hackers.
And other people are saying either move DEF CON to another city or get it out of the United States entirely.
Because, you know, as we've seen with for example, United States TSA, once you have security measures in place, they don't tend to go away.
To me, one of the biggest things is there's a growing call from a number of attendees saying that they're not returning to DEF CON at all, ever, or to even Las Vegas at all, ever, because of these policies.
And I'm not surprised. They're saying it's overly intrusive security theater and just straight up not friendly to hackers.
And other people are saying either move DEF CON to another city or get it out of the United States entirely.
Because, you know, as we've seen with for example, United States TSA, once you have security measures in place, they don't tend to go away.
So it's very— it's just too darn hot in Vegas anyway.
I agree.
Go there in August, in August, of all things, and it's so expensive. Go to Greenland instead. That'd be a cool place.
Do they have the capacity for 30,000 hackers?
Yes, they'd love it. They'd love it.
Well, me personally, if I ever go to DEF CON again, I mean, I would not assume any privacy at all, and I'd probably invest in an $11 wedge doorstop if I was really worried about somebody barging in when I'm in the shower, which I honestly might be now.
But I really hope the new room search policies are communicated and conducted in a better way, but I really cannot blame anyone for not wanting to go back to DEF CON after this.
But I really hope the new room search policies are communicated and conducted in a better way, but I really cannot blame anyone for not wanting to go back to DEF CON after this.
Yeah. No one likes to be barged in.
I have been rudely barged in on actually, I remember at a hotel once it was, it was a room service maid sort of person and I was in a state of some déshabillé as I say, but I think I probably was less traumatized by the girl than her.
I have been rudely barged in on actually, I remember at a hotel once it was, it was a room service maid sort of person and I was in a state of some déshabillé as I say, but I think I probably was less traumatized by the girl than her.
I was gonna say, this is how a lot of porn starts. So going back to the previous story. But yeah, it's a serious issue though.
I mean, it's, you know, we're chuckling about it, but this is a nightmare. So I'm very curious to see how this develops. So watch this space, I guess. Crazy.
I mean, it's, you know, we're chuckling about it, but this is a nightmare. So I'm very curious to see how this develops. So watch this space, I guess. Crazy.
Speaking of crazy. Crazy Crow, what crazy story have you got for us this week?
Well, I want to talk about crazy conspiracy theories, namely one guy that has been in the press a lot lately, and that is Alex Jones.
Now, unless you've been following the antics of this guy for, what, 5 years, it does look like a huge pile of nonsense, but there's been a lot going on, so I thought I'd kind of summarize it and then we could have maybe a little chat about it, because I think it's raising some important points.
So Alex Jones, the conspiracy theorist radio host, he's not what I would call a good faith guy. He's been running this Infowars for about 20 years.
It actually started as a public access TV show in Austin, and it's grown from there into all kinds of channels.
But I mean, his YouTube channel boasts at its height 80 million views a month. Oh my God, isn't that shocking? America, why?
So he has definitely earned the reputation of spreading unfounded, hateful conspiracy theories, right?
The most shocking of them was that the US government was in on the 9/11 attacks, or there was the Sandy Hook shooting.
He was saying it was a total hoax and that mourners were being paid. He's actually being sued by parents of the children who were murdered at Sandy Hook.
Now, unless you've been following the antics of this guy for, what, 5 years, it does look like a huge pile of nonsense, but there's been a lot going on, so I thought I'd kind of summarize it and then we could have maybe a little chat about it, because I think it's raising some important points.
So Alex Jones, the conspiracy theorist radio host, he's not what I would call a good faith guy. He's been running this Infowars for about 20 years.
It actually started as a public access TV show in Austin, and it's grown from there into all kinds of channels.
But I mean, his YouTube channel boasts at its height 80 million views a month. Oh my God, isn't that shocking? America, why?
So he has definitely earned the reputation of spreading unfounded, hateful conspiracy theories, right?
The most shocking of them was that the US government was in on the 9/11 attacks, or there was the Sandy Hook shooting.
He was saying it was a total hoax and that mourners were being paid. He's actually being sued by parents of the children who were murdered at Sandy Hook.
It's horrendous.
And he's also facing defamation for— remember in Charlottesville, the car that mowed down the people? He was saying it was all a setup. So someone's suing him for that as well.
So anyway, make your own mind up. He seems to me to be crazy, dangerous, dangerous, dangerous, more crazy, I think.
So anyway, make your own mind up. He seems to me to be crazy, dangerous, dangerous, dangerous, more crazy, I think.
Yeah.
And he does have a pretty serious fan base. His audience grew fivefold as Trump rose to power.
You might remember Trump actually has been on the Infowars show where he praised Alex Jones and made promises to him.
He even gave Alex Jones of Infowars a temporary press pass to the White House in May 2017. So he has friends in high places.
But anyway, it seems that he has finally pissed off the wrong people. So first, Apple announced that it was going to stop distributing Jones's 5 podcasts and his Infowars website.
Now, this is the most powerful podcast distribution platform in the world, so this is kind of a big deal and shuts off a huge communication vector for him.
Then Jones was banned from Facebook, YouTube, and Spotify.
Spotify say they ban him not for his conspiracies, but because Infowars, quote, "expressly and principally promotes, advocates, or incites hatred or violence against a group or individuals based on characteristics," unquote.
You might remember Trump actually has been on the Infowars show where he praised Alex Jones and made promises to him.
He even gave Alex Jones of Infowars a temporary press pass to the White House in May 2017. So he has friends in high places.
But anyway, it seems that he has finally pissed off the wrong people. So first, Apple announced that it was going to stop distributing Jones's 5 podcasts and his Infowars website.
Now, this is the most powerful podcast distribution platform in the world, so this is kind of a big deal and shuts off a huge communication vector for him.
Then Jones was banned from Facebook, YouTube, and Spotify.
Spotify say they ban him not for his conspiracies, but because Infowars, quote, "expressly and principally promotes, advocates, or incites hatred or violence against a group or individuals based on characteristics," unquote.
Well, right. I mean, you can't ban somebody for a conspiracy. That's about as American as apple pie.
Right.
I mean, really.
He was banned from YouPorn as well. Did you hear that?
Yes, that's true.
He was.
Wait, wait, are you serious?
Yes.
No.
Yeah. Okay.
What?
I forgot that. You're right.
I don't think he had his own channel up there, but—
Because I don't want to Google this because I really—
I am. I'm going to do it. I've never done this in my life.
Oh, you brave soul.
Apparently YouPorn doesn't just have porn videos. People also upload other videos like Infowars to it. And those videos have been removed.
I don't know whether this is YouPorn's PR department.
I don't know whether this is YouPorn's PR department.
I'm afraid I can't see it. My family-friendly filter is on, so nothing comes up with Alex Jones and YouPorn.
That's fantastic.
I bleach. I bleach.
Yeah, that's why I'm so innocent, guys.
I would take one for the team and Google it, but I just don't want to.
Now, Facebook, who had previously imposed a 30-day ban on Jones personally for his role in posting violating content to its pages, decided finally to fully remove the Alex Jones channel page, the Alex Jones page, the Infowars page, and the Infowars Nightly News page.
Facebook said, quote, more content from the same pages has been reported to us. Upon review, we take it down for glorifying violence, etc., etc. So again, the violent thing.
And a few hours later, YouTube also zapped Jones's channel. And get this, his YouTube views prior to the channel being removed were tallying in total 1.6 billion.
I find that shocking. 1.6 billion.
Facebook said, quote, more content from the same pages has been reported to us. Upon review, we take it down for glorifying violence, etc., etc. So again, the violent thing.
And a few hours later, YouTube also zapped Jones's channel. And get this, his YouTube views prior to the channel being removed were tallying in total 1.6 billion.
I find that shocking. 1.6 billion.
I think there's a decent— okay, probably small percentage of that that's just hate watching, but I'm sure a lot of that's legit.
I'm sure most of that's legit, and that just makes me really sad.
I'm sure most of that's legit, and that just makes me really sad.
So, and lastly, and this is the bit that I wanted to talk about a bit, was Twitter.
Now they've come along and rather than banning him, they've slapped Alex Jones with a 7-day ban, but they haven't terminated his account.
Now they've come along and rather than banning him, they've slapped Alex Jones with a 7-day ban, but they haven't terminated his account.
Hang on, hang on. So all these other sites have banned him or shut down his channels and all the rest of it, right? And Twitter, well, basically, let's not forget it's August.
Alex Jones may have gone on holiday to the Mediterranean, right? He may not be creating any videos or any podcasts for the next 7 days.
It's like he's gone on holiday for 7 days and then he'll be back on Twitter.
Alex Jones may have gone on holiday to the Mediterranean, right? He may not be creating any videos or any podcasts for the next 7 days.
It's like he's gone on holiday for 7 days and then he'll be back on Twitter.
It's strange, eh? On Wednesday, the day of recording, Twitter CEO said that Alex Jones has not broken any rules. Bullshit.
And he says it's up to journalists to sort out the BS from fact. I am paraphrasing.
And he says it's up to journalists to sort out the BS from fact. I am paraphrasing.
No thanks.
It's so interesting. So the CEO is quoted in The Independent saying accounts like Jones can often sensationalize issues and spread unsubstantiated rumors.
So it's critical journalists document, validate, and refute such information directly so people can form their own opinions.
This is what serves the public conversation best, he says.
So it's critical journalists document, validate, and refute such information directly so people can form their own opinions.
This is what serves the public conversation best, he says.
As if journalists don't have enough to do, you know, now they got to be policing him.
It's hard enough to keep up with the news anyway, right?
Right.
Yeah.
I find this all bonkers because, you know, him saying they have not— they've not terminated his account because he has not broken any rules.
Well, I went and looked at the Twitter rules. And inside the Twitter rules, it says, do not incite violence, do not engage in abuse or hateful conduct.
But they do have this kind of carte blanche thing which basically says if it's newsworthy, we can change our minds.
Well, I went and looked at the Twitter rules. And inside the Twitter rules, it says, do not incite violence, do not engage in abuse or hateful conduct.
But they do have this kind of carte blanche thing which basically says if it's newsworthy, we can change our minds.
That's how they also keep Trump up there. It's this really— I'm an avid Twitter user and I mean, this whole thing has been beyond disappointing. I don't know. I agree with you.
I feel exactly, I have been thinking that's how you hurt them is by getting off Twitter.
I find this whole story disappointing on so many levels. Why did this take so long? And I'm sure I'm gonna get flamed for censorship, but whatever. Why did it take so long?
Why did all the other companies only act once Apple started it? Well, what's up with that domino effect?
And thirdly, Twitter's position on this has been super wishy-washy and basically them, they have these terms of service.
Why did all the other companies only act once Apple started it? Well, what's up with that domino effect?
And thirdly, Twitter's position on this has been super wishy-washy and basically them, they have these terms of service.
Haha.
And that they kind of only selectively enforce for certain people. I've never understood this.
It would be really gross to think though that Twitter was actually hoping to profit from Alex Jones's bans from everything, because you know, he won't have anywhere else to go, but that'd be crazy, right?
Oh no, yeah, don't do that.
And it seems to me that Twitter only took action, I don't know if you saw this other thing which was going on on Twitter, I think her name is Shannon Coulter, a Twitter user who has been rallying other Twitter users to block the top Fortune 500 companies on Twitter until Twitter did something about Alex Jones.
And she created a very easy way to mass block all of these companies so that they would no longer be appearing in your feed.
And she created a very easy way to mass block all of these companies so that they would no longer be appearing in your feed.
Yep. And super easy.
I didn't read that, and you should put that in the show notes. That's interesting.
I'll put it in the show notes. It's extremely interesting. And now, of course, Alex Jones has been banned, albeit only for his little holiday around the Algarve.
Yeah, it's on a 7-day hiatus.
7-day hiatus. But, you know, Twitter, we hear all about these rules about Twitter. You can't be offensive and you can't incite violence and all the rest of it.
But the other rule, it seems to me, the other commandment is you must not do anything which damages Twitter's potential to make some money.
And that's why they turn a blind eye to Donald Trump calling former staff members dogs.
And that's why they allow Alex Jones to carry on spreading his hate and plenty of other unpleasant stuff as well. And they know that most of us aren't going to quit Twitter.
But the other rule, it seems to me, the other commandment is you must not do anything which damages Twitter's potential to make some money.
And that's why they turn a blind eye to Donald Trump calling former staff members dogs.
And that's why they allow Alex Jones to carry on spreading his hate and plenty of other unpleasant stuff as well. And they know that most of us aren't going to quit Twitter.
Is it time to start #QuitTwitter?
Well, there are alternatives like Mastodon, but you know, it just hasn't reached that kind of critical mass that you want to go to it.
Because we just left Facebook. Where are we going to go?
Now, do you guys think— so this is the other question I had.
Do you guys think that these bans basically say that tech companies are now admitting to some accountability or say as to what they allow to be publicized on their services?
Do you guys think that these bans basically say that tech companies are now admitting to some accountability or say as to what they allow to be publicized on their services?
I'm sure they would say probably not because they don't want that kind of responsibility. I think of a lot of these social media sites as replacing the newspaper.
And having worked at newspapers before, I mean, when you get countless letters to the editor and a lot of them are from straight-up kooks, people who are absolutely crazy, and these letters often will threaten the journalists and say really scary, weird, off-the-hinge things.
But the editor has the discretion to say, you know what, I'm not going to publish this because this doesn't serve public good.
But we don't have that kind of judgment or ethics amongst these players. Some people would call that gatekeeping. And I understand where that's coming from.
People are saying, oh, it's censorship or gatekeeping. And I think it's an interesting discussion.
But seriously, does a letter threatening a journalist's life actually add to discussion?
And the same thing with Alex Jones, he's not just a conspiracy theorist, that really reduces the amount of harm he's doing. Conspiracy theories in America are everywhere.
And that's like, you know, did we land on the moon or not? Okay, fine.
And having worked at newspapers before, I mean, when you get countless letters to the editor and a lot of them are from straight-up kooks, people who are absolutely crazy, and these letters often will threaten the journalists and say really scary, weird, off-the-hinge things.
But the editor has the discretion to say, you know what, I'm not going to publish this because this doesn't serve public good.
But we don't have that kind of judgment or ethics amongst these players. Some people would call that gatekeeping. And I understand where that's coming from.
People are saying, oh, it's censorship or gatekeeping. And I think it's an interesting discussion.
But seriously, does a letter threatening a journalist's life actually add to discussion?
And the same thing with Alex Jones, he's not just a conspiracy theorist, that really reduces the amount of harm he's doing. Conspiracy theories in America are everywhere.
And that's like, you know, did we land on the moon or not? Okay, fine.
But he's violent.
He's violent.
Doxing.
Exactly. So that's like, does that actually add anything to the public sphere? Or is he just, what's the actual value there? Questions all around there.
Yeah. And of course, free speechers are using the argument that he's allowed to speak freely as everybody else is.
You know what? I think he's free to say what he likes, but there's a question as to where he can say it.
If I invite someone round to my house for dinner, and if they're offensive to other dinner guests, then I might say, you know what, do you mind leaving? And I won't invite them.
If I invite someone round to my house for dinner, and if they're offensive to other dinner guests, then I might say, you know what, do you mind leaving? And I won't invite them.
I thought you'd say, here's a megaphone.
Yeah, right. Don't, you know, don't come back in, because it's about being kind, isn't it? But, you know, just clear off.
And if you want to do that in your house, then go ahead and do it, or find your own little murky corner of the internet.
And if you want to do that in your house, then go ahead and do it, or find your own little murky corner of the internet.
But that's what he's claimed to have done, right?
Well, he can buy his own server. Yeah, he can make his own website. I mean, crazy websites have been on the internet, interweb, since forever.
But, you know, he can set up his own stuff. Why does he have the right to use another company's platform to spread this info? I don't think so.
But, you know, he can set up his own stuff. Why does he have the right to use another company's platform to spread this info? I don't think so.
Given, right?
No.
I mean, look, I'm not a fan of the guy. I'm not gonna miss him. So, there you go.
Yeah, I always get a little nervous talking about this stuff because the worm can turn, as the saying goes. I don't agree with him, and I find him to be extremely violent and scary.
But, you know, if somebody decides that something I'm saying is now not acceptable and I get permabanned, what's—what does that mean?
So, you know, I'm always a little like, oh, this is scary. But, yeah, I don't know, cagey about it.
But, you know, if somebody decides that something I'm saying is now not acceptable and I get permabanned, what's—what does that mean?
So, you know, I'm always a little like, oh, this is scary. But, yeah, I don't know, cagey about it.
I'm feeling a little bit dirty having gone down Alex Jones's rabbit hole.
I feel like we need a bit of a shower, and we might need to—I think we need to clear our palate a little bit.
I feel like we need a bit of a shower, and we might need to—I think we need to clear our palate a little bit.
Oh, stressed. Oh my God.
Many of us have worked in big companies, right? And we know that it only takes one person to make a boo-boo to allow the hackers in.
Imagine running a company, hiring new staff, and worrying that one of them might bring their bad password habits into the office. Horrendous nightmare.
That's one of the reasons why businesses small and large need a password management solution like LastPass Enterprise.
LastPass brings a vast array of features for enterprise users, including company-wide policies, reporting, user groups and roles, and new support for Microsoft Active Directory.
As an administrator, you can create highly secure passwords for your new starters right from the onset. Means no snafus.
Listeners can check it out for themselves by visiting lastpass.com/smashingsecurity. No more password snafus, no more boo-boos, just LastPass.
Imagine running a company, hiring new staff, and worrying that one of them might bring their bad password habits into the office. Horrendous nightmare.
That's one of the reasons why businesses small and large need a password management solution like LastPass Enterprise.
LastPass brings a vast array of features for enterprise users, including company-wide policies, reporting, user groups and roles, and new support for Microsoft Active Directory.
As an administrator, you can create highly secure passwords for your new starters right from the onset. Means no snafus.
Listeners can check it out for themselves by visiting lastpass.com/smashingsecurity. No more password snafus, no more boo-boos, just LastPass.
Hey, Clue.
Hey, Carole.
Did you listen to my little bit about MetaCompliance and their e-learning?
Oh yeah, I heard that earlier in the show. Yeah, nice one.
Did you?
Yeah.
Okay, well, have you signed up yet?
Well, no, I've been doing the podcast, Carole. I haven't had time to sign up for it, have I?
Well, women know how to multitask. Surely you can get a move on and sign up. We get 10% off.
Off.
Just go to smashingsecurity.com, you should know that website, /meta-compliance and enter the code smashing with a G.
SmashingSecurity.com/meta-compliance, enter the code smashing. Terrific.
With a G. Cool.
And welcome back to our favorite part of the show. The part of the show that we like to call Pick of the Week.
Pick of the Week.
Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
It could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they like. Not security related necessarily.
Doesn't have to be.
It could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they like. Not security related necessarily.
Doesn't have to be.
Should not be.
And my Pick of the Week this week is definitely not security related. I feel a little bit embarrassed because I feel like this is a subject I have occasionally talked about before.
Doctor Who.
Okay. Yes, please not Doctor Who.
It's the one which isn't Doctor Who. It's chess.
You know what, Graham? I'm not going to give you a hard time.
You're not?
And you know why? Because I've been— I just started playing chess again.
Oh, hey.
Yeah. Yeah. I finally converted her. Carole—
No, it had nothing to do with you. And I won't even play you.
No, you won't actually. I keep asking you to.
But can you livestream that match when it happens? I want to see it.
I have been using— so my pick of the week is not the game of chess.
It is a website called lichess.org, and the nice thing about Lichess is it is a completely free chess internet server with all the features that you would expect.
Everything is free. You can't give them— well, you can give them money to support the server and things, but no ads, and you get no ads or anything like that.
And it's not just chess. You can also play chess variants like Chess 960 or Antichess and all those crazy things.
It is a website called lichess.org, and the nice thing about Lichess is it is a completely free chess internet server with all the features that you would expect.
Everything is free. You can't give them— well, you can give them money to support the server and things, but no ads, and you get no ads or anything like that.
And it's not just chess. You can also play chess variants like Chess 960 or Antichess and all those crazy things.
Crazy Chess, Crazy Horse, Crazy Horse.
Yeah, I've never tried that. Even world champion Magnus Carlsen plays on Lichess. He used to call himself Danny the Donkey. That was his username. But now he's Dr. Drunkenstein.
And you can go and see maybe—
And you can go and see maybe—
I'm sure he's loving you exposing him.
Does he go to DEF CON? Is that where that name comes from?
Danny the Donkey. But I don't know. Well, you know, if you want to challenge him sometime, Carole, with your English opening or show him your fianchetto.
Yeah. Well, I'm working on my English opening.
Is that a food? What is it?
I'm working on it, but I haven't got it down at all yet. So, don't worry, Graham, I'll show up.
Anyway, lichess.org, link in the show notes. Very cool site. Go and check it out.
It's very cool. Yeah, I agree. Excellent, excellent recommendation.
Maria, what's your pick of the week?
Pick of the week for me is a video game that I have been playing nonstop for at least a week or two now. It is a great game, but it has a stupid name.
And it's called Octopath Traveler.
And it's called Octopath Traveler.
Why do you think it's stupid?
Octopath?
Octopath.
You imagine it's got to be—
Is it like an octopus that also can read my mind?
Well, yeah, you imagine it's about a hitchhiking octopus or something like that, don't you? Octopath Traveler.
That's actually a cool idea. No, the reason it's called Octopath Traveler is that you have 8 characters that you can choose from. And you can— so 8, hence Octo.
And they have their own path. But yeah, you're very welcome for the etymology lesson. I'm here.
And they have their own path. But yeah, you're very welcome for the etymology lesson. I'm here.
What is the path bit? Can you explain the path bit to me?
Is it like a road?
It's like— it's a thing your feet go on.
Oh right, okay, excellent.
So this Octopath, so this game is a Japanese role-playing game, but it's in English, you know, so you don't have to read Japanese to play it.
So anyone who loves Super NES video games, RPGs like Chrono Trigger or Final Fantasy 6, this is in that vein. And no idea what she just said.
Well, I was trying to keep it simple, and then when I go nerdy, you don't know what I'm saying. I gotta find the middle ground.
So anyone who loves Super NES video games, RPGs like Chrono Trigger or Final Fantasy 6, this is in that vein. And no idea what she just said.
Well, I was trying to keep it simple, and then when I go nerdy, you don't know what I'm saying. I gotta find the middle ground.
So when you said octopus, it's not about octopuses. Sorry, I'm just going back to that.
I lost me after that bit. I haven't encountered an octopus in this game, but it could happen. I'm not done yet.
Ah, shame.
But if anyone likes JRPGs, especially from the '90s, this is in that vein, but it's an improvement on all the old complaints about those games.
This is a Switch game.
Switch game. Sorry, I didn't mention it. Nintendo Switch. And it's turn-based combat, which means you can literally leave your battle and go to the bathroom and nothing has happened.
It's great. They're waiting for you.
It's great. They're waiting for you.
And in these kind of games, you take turns, don't you?
Yes. You wait your turn, you hit somebody, you wait your turn, you throw a spell at them. It's great. This game has been massively popular with the nerd set.
It sold 110,000 copies in the first week, which is a big number.
So if you've heard about it and you're into JRPGs and you're, "I don't know if I should play it," I'm giving you my recommendation.
It's not perfect, there's problems with it as with any game, but it's—
It sold 110,000 copies in the first week, which is a big number.
So if you've heard about it and you're into JRPGs and you're, "I don't know if I should play it," I'm giving you my recommendation.
It's not perfect, there's problems with it as with any game, but it's—
I do have a Nintendo Switch. I've heard about Octopath Traveler. It sounds like it's quite a good game. I'm not into RPGs though. I've never really tried them, really.
Oh, maybe try this one.
All right, well, you're a drug pusher. "Maybe try crystal meth, Graham."
It's the first try.
"Maybe you'll like it." Maybe I won't. Maybe I haven't got enough hours in the day.
Graham on crystal meth.
First one's always free, Graham. So yeah, except you have to pay for it on the Switch store, so you know, it's not actually free.
But Carole, what is your pick of the week?
Well, my pick of the week, because my story was a little bit depressing about Alex Jones.
Yes.
And I was telling Graham earlier that after I'd written it up, you know, I was complaining to Graham, and Graham, you, my bud and co-host, sent me this video.
And after only watching 1 minute of it, it cheered me up and made it my pick of the week. Because of course I've just told the story, so you're all sad out there.
So all you gotta do is watch this video.
Now this is basically a pastiche video where they take Alex Jones and his actual words, but they put a little melody and harmony around it and cheer it up a little bit.
All right, see what you think. Just click on the link right now. Just wait, just wait. Green looking skin.
And after only watching 1 minute of it, it cheered me up and made it my pick of the week. Because of course I've just told the story, so you're all sad out there.
So all you gotta do is watch this video.
Now this is basically a pastiche video where they take Alex Jones and his actual words, but they put a little melody and harmony around it and cheer it up a little bit.
All right, see what you think. Just click on the link right now. Just wait, just wait. Green looking skin.
I think if he did this on his show, yeah, he'd probably have more fans.
Yes.
Single rebits are awesome. So there you go, there's my pick of the week.
I love it.
Go watch this.
Oh my God, that's fantastic. Well, on that conspiracy bombshell we have just about wrapped it up for this week.
Maria, if people wish to follow you on any of the social networks, maybe you'll have left Twitter by the time this—
Maria, if people wish to follow you on any of the social networks, maybe you'll have left Twitter by the time this—
Just go stay at Caesar's Palace and burst into her room.
Don't, no, actually, please don't do that. Please don't.
How should people get in touch with you?
Not by bursting into any room that I am in. That would be scary. They can find me— I'm still on Twitter until I decide I can't take it anymore, but I am @MariaVarmazis.
And you can follow Smashing Security on Twitter as well, @SmashingSecurity. No G, Twitter wouldn't allow us to have a G.
We've got a Smashing Security store, smashingsecurity.com/store, if you want some stickers or mugs or anything like that.
And if you really like the show, why not go to Apple Podcasts or Google Podcasts and give us a nice review? Tell the world.
We've got a Smashing Security store, smashingsecurity.com/store, if you want some stickers or mugs or anything like that.
And if you really like the show, why not go to Apple Podcasts or Google Podcasts and give us a nice review? Tell the world.
Tell the world we're nice guys.
Until next time. Cheerio. Bye-bye.
Toodle-oo.
Au revoir. Ugh, I'm stressed. Oh my god. Yeah, this stresses me out. Oh my god.
Dude, you've missed the forrest for the trees. Everyone (at least in the US, and probably in the UK) have had every bit of informtaion that Equifax had on them stolen. Don't you think it would include phone numbers, email addresses, credit card statements from adult entertainment companies, etc.
There's absolutely no end to the shitstorm that we could soon be facing, since they already know more about us than we do ourselves.
If the full phone number has been exposed by a data breach, why isn't the extortionist including the full phone number in the email? It doesn't make logical sense to me.
Typo:
"If you are still worried that you such an email would scare the willies out of you"
I need this job ????