China is forcing people to install smartphone spyware, young cyberoffenders are offered rehab, and robot vacuum cleaners want to sell maps of the inside of your house to tech firms.
All this and more is discussed in the latest edition of the “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Dan Ring.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Today's episode of Smashing Security is brought to you by Rapid7.
Identifying, prioritizing, and managing vulnerabilities all the way through to remediation is not only possible, it can be simple.
Right now, build a vulnerability management program that works for you with InsightVM by Rapid7. Get started with your free 30-day trial at rapid7.com.
Identifying, prioritizing, and managing vulnerabilities all the way through to remediation is not only possible, it can be simple.
Right now, build a vulnerability management program that works for you with InsightVM by Rapid7. Get started with your free 30-day trial at rapid7.com.
Smashing Security, episode 35. Of the Rumba with Mandate Yuri Chinese Spyware with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to another episode of Smashing Security, episode 35. My name is Graham Cluley, and I'm joined as always by my good buddy and co-host Carole Theriault.
Hello, Carole, how are you? Why are you laughing?
Hello, hello, and welcome to another episode of Smashing Security, episode 35. My name is Graham Cluley, and I'm joined as always by my good buddy and co-host Carole Theriault.
Hello, Carole, how are you? Why are you laughing?
Because you're tripping over your words. Forgot my name.
I always do that. There's so much— Sorry.
I don't know.
I don't know. Who does this show with me? Who does it? Oh, it's her! Hello, Carole, how are you?
Hi, Graham.
You all right?
Great, you?
I'm all right. Now, I might sound a little bit odd today because I am on assignment at a top-secret location.
I can't tell you exactly where in the world I am, but I'll give you a clue. I did see the Eiffel Tower earlier, and I might have seen one of the pyramids of Luxor at the same time.
Other than that, I'm not saying anything. Our smart security audience maybe can work it out, but I'm not going to tell anyone.
And we're also joined by a very special guest, aren't we, Carole?
I can't tell you exactly where in the world I am, but I'll give you a clue. I did see the Eiffel Tower earlier, and I might have seen one of the pyramids of Luxor at the same time.
Other than that, I'm not saying anything. Our smart security audience maybe can work it out, but I'm not going to tell anyone.
And we're also joined by a very special guest, aren't we, Carole?
We are. Say hello, Mr. Dan Ring.
Hi, you guys.
Ah, now Dan Ring is Mr. PR Man Extraordinaire, and I've worked with him for a number of years, and he's really wanted to be on the show.
Let's be honest, he's made a bit of a pest of himself wanting to come on the show, haven't you, Dan?
Well, I love you guys more than anything. The sheer opportunity to speak to you out of a microphone and a computer is blissful.
Yeah. As normal, we don't actually want to be in the same room as each other, but hearing each other's dulcet tones is quite pleasant, isn't it, in comparison to that?
I concur.
Rather than having to— The visual is appalling, but the voice is fantastic. I think I speak for all of us.
Yeah, you definitely speak for all of us, not just yourself. Absolutely.
So here is my topic of the week, something I want to talk about from the last week of computer security, and that's this.
If you haven't been putting spyware on your smartphone, China might be a little bit upset with you.
There's a pretty chilling report coming out from China, and it's this: WeChat users in the capital city of Xinjiang Province were sent a message this month telling them to install an app called Jingwang, which apparently means clean internet.
If you haven't been putting spyware on your smartphone, China might be a little bit upset with you.
There's a pretty chilling report coming out from China, and it's this: WeChat users in the capital city of Xinjiang Province were sent a message this month telling them to install an app called Jingwang, which apparently means clean internet.
What's WeChat?
Oh, WeChat is a really popular instant messaging program, particularly popular in China.
Well, there you go.
And in Asia. They got this message telling them you've got to install this app. And that message, of course, came from law enforcement, came from the authorities.
Well, what does this Jingwang application do?
Well, it's an extreme form of parental controls, although you could argue maybe it's not so much your parents as Big Brother, because it allows powers that be to not only block what websites you can access, but also to search your phone for inappropriate images, block certain apps from being installed, and keep records of your online chats.
And so they were being told basically install spyware which can snoop on— Whoa, whoa, whoa.
Well, what does this Jingwang application do?
Well, it's an extreme form of parental controls, although you could argue maybe it's not so much your parents as Big Brother, because it allows powers that be to not only block what websites you can access, but also to search your phone for inappropriate images, block certain apps from being installed, and keep records of your online chats.
And so they were being told basically install spyware which can snoop on— Whoa, whoa, whoa.
Okay, so users of WeChat were sent this. What, they're being targeted by government agencies? Or does everyone have WeChat installed? Is that the angle?
I think a lot of internet users do, and I'm sure maybe they used other methods to tell people to install this as well.
But it was particularly members of the Uyghur Muslim community, who make up a large part of the population in Xinjiang, who seem to have been targeted.
So it's only this province which has really been getting these messages. Now, what happens if you don't install the app?
Well, the authorities take a pretty dim view of that, as The Register reports.
There was one report that 10 Kazakh women in the region were arrested after they had a group chat discussion about immigrants, which was picked up by the sensors.
But it was particularly members of the Uyghur Muslim community, who make up a large part of the population in Xinjiang, who seem to have been targeted.
So it's only this province which has really been getting these messages. Now, what happens if you don't install the app?
Well, the authorities take a pretty dim view of that, as The Register reports.
There was one report that 10 Kazakh women in the region were arrested after they had a group chat discussion about immigrants, which was picked up by the sensors.
And that wasn't allowed? So that's a no-no.
Right. That's a no-no. And there have been reports that police checkpoints are demanding that citizens hand over their phones to be checked to see if they have the spyware installed.
And if you don't have it installed, you could be detained for up to 10 days.
And if you don't have it installed, you could be detained for up to 10 days.
So you could be detained for 10 days if you do not install this app.
That's right.
Which spies on you and shares your information with the government uploads private information about your communications, what websites you've been trying to access, about your online chats.
Which spies on you and shares your information with the government uploads private information about your communications, what websites you've been trying to access, about your online chats.
Where are you detained? Is it at a Chinese jail? Do we know?
It's not a restaurant.
I'd like to know. I mean, you know, maybe it's a nice place. I don't know.
It's at a water park. It's at a water park.
Yeah, the Xinjiang Hilton, something like that.
Thinking of lovely meals.
I love the way you're thinking, because that's the way the Chinese authorities operate, isn't it?
They do try and make it all come— here's a comfortable cushion, just sit there for 10 days, why don't you?
They do try and make it all come— here's a comfortable cushion, just sit there for 10 days, why don't you?
I'm surprised that they're choosing this approach to do it so openly rather than do it the Western world where they kind of try and hide the fact that they're spying on you by giving you something nice and shiny to look at.
Well, China doesn't really hide its attitude to the internet, does it?
It has for a long time tried to control what its population does and the information which it gains access to, and this is, I think, is just the latest thing.
Now, the challenge for the Chinese authorities, just as it is for intelligence agencies all around the world is that technology has moved on and now we have truly private encrypted communications.
And if you are in law enforcement, let's just put their hat on for a second and their jackboots, the challenge for them is that they want to see what people are saying.
They want to stop what they believe are wrong activities.
It has for a long time tried to control what its population does and the information which it gains access to, and this is, I think, is just the latest thing.
Now, the challenge for the Chinese authorities, just as it is for intelligence agencies all around the world is that technology has moved on and now we have truly private encrypted communications.
And if you are in law enforcement, let's just put their hat on for a second and their jackboots, the challenge for them is that they want to see what people are saying.
They want to stop what they believe are wrong activities.
Well, if there's suspicions, I'm guessing particularly, you know, if something's, yeah.
But you don't want dissent and you maybe don't want terrorists and you want to stamp out organized crime. And as we've seen, I mean, I'm based in the UK most of the time.
And as we've seen there and in other countries, there is this big push to weaken encryption for the technology companies to work more with law enforcement to enable some sort of backdoor, some method of seeing what people are privately communicating.
And end-to-end encryption, when implemented properly, when the maths is right, you can't break it. You have to water it down. You have to break the encryption.
The only way to do it is to get to the individual devices themselves. And that seems to be the approach the Chinese are taking and saying, OK, it's too hard to break the encryption.
What we're going to do is we're going to have something listening on the device itself.
And as we've seen there and in other countries, there is this big push to weaken encryption for the technology companies to work more with law enforcement to enable some sort of backdoor, some method of seeing what people are privately communicating.
And end-to-end encryption, when implemented properly, when the maths is right, you can't break it. You have to water it down. You have to break the encryption.
The only way to do it is to get to the individual devices themselves. And that seems to be the approach the Chinese are taking and saying, OK, it's too hard to break the encryption.
What we're going to do is we're going to have something listening on the device itself.
So we're going to force our citizens to install this. And so if someone has two phones, do you know what I mean? I wonder how people are gonna try and get around this.
Yeah, is there a bring your own non-spyware device?
I guess the risk will be that if you're in this particular province and you're found to be carrying a device which hasn't run the software, that instantly makes you ultra suspicious and they could take very serious action against you.
But my concern is that other countries around the world who are finding it hard to pressure the tech firms to work more closely with law enforcement and weaken security and privacy for all of us, may want to simply force their phone users to do something similar.
This could be a precedent, really.
Yeah, a precedent for which we see other— I mean, it's terrible to think that we would all follow in China's footsteps, but I can imagine there might be some countries around the world which would want to do this, including in the West.
Yeah, well, anyway, wow.
So this is horrible news from China, and let's hope this doesn't get worse, but I've got a bad feeling about— I wonder, do you think they're beta testing it in this region, in Xinjiang?
I think this particular region is of concern because there has been insurgency there. There's been a long history.
Obviously, a lot of the people there aren't necessarily happy with the Chinese authorities.
But my concern is that other countries around the world who are finding it hard to pressure the tech firms to work more closely with law enforcement and weaken security and privacy for all of us, may want to simply force their phone users to do something similar.
This could be a precedent, really.
Yeah, a precedent for which we see other— I mean, it's terrible to think that we would all follow in China's footsteps, but I can imagine there might be some countries around the world which would want to do this, including in the West.
Yeah, well, anyway, wow.
So this is horrible news from China, and let's hope this doesn't get worse, but I've got a bad feeling about— I wonder, do you think they're beta testing it in this region, in Xinjiang?
I think this particular region is of concern because there has been insurgency there. There's been a long history.
Obviously, a lot of the people there aren't necessarily happy with the Chinese authorities.
And I guess the problem with it is it's not like they're trying to get access to phones of people who they're suspicious of committing a criminal act.
They're trying to get access to everyone's phone in order to be able to deter criminal acts, I guess, that use phones.
They're trying to get access to everyone's phone in order to be able to deter criminal acts, I guess, that use phones.
Or acts which they feel are subversive.
Yeah, so everyone's paying the price. Everyone's paying the penalty.
And you know, what do we talk about all the time? We talk about the importance of using VPNs. I've just heard that Russia are taking steps against VPNs in their country as well.
You know, all these things which we do to protect ourselves from online criminals and also have this side effect of keeping ourselves private from our governments as well, they're all being brought into the battle, aren't they?
There's this huge fight going on. And anyway, this seems like bad news to me.
You know, all these things which we do to protect ourselves from online criminals and also have this side effect of keeping ourselves private from our governments as well, they're all being brought into the battle, aren't they?
There's this huge fight going on. And anyway, this seems like bad news to me.
Yeah, Graham, as you always say, thanks so much for sharing this happy story this week.
Well, I just did a search for Xinjiang detention centers. I just looked at images and, yeah, I don't think I'd want to spend 10 days in one of these places.
Yeah, you went on TripAdvisor.
Shockingly, it didn't get a lot of stars. It didn't, but I was curious. But then there are some other images as well that look a little less threatening.
Dan, what story have you got for us this week?
Well, I'm glad you asked. A lovely story, a more uplifting one. Rehab camp aims to put young cyber crooks on right track.
So these young kids who don't necessarily follow that straight and narrow path, these are very smart kids who got into hacking for a variety of reasons.
Some of these kids were bullied, it turned out, when they were in school.
Other kids just realized they had a knack for doing some things that they didn't even realize were nefarious.
And then it turned out that they could do more and more and more, and they just ended up testing their limits. And it's basically unlimited. That's how skilled these kids are.
And some of these kids actually, they really didn't do necessarily bad things or things that they thought would be bad.
But as a result, you know, the police, the fuzz, or whatever they're called in the UK, because this is a UK initiative sponsored by the National Crime Agency.
They have been tracking these kids for a while, and instead of arresting them, they have taken this progressive and innovative approach, I think, and they're putting them into these camps, this weekend camp for offenders, the first of which was held in Bristol this month.
So these young kids who don't necessarily follow that straight and narrow path, these are very smart kids who got into hacking for a variety of reasons.
Some of these kids were bullied, it turned out, when they were in school.
Other kids just realized they had a knack for doing some things that they didn't even realize were nefarious.
And then it turned out that they could do more and more and more, and they just ended up testing their limits. And it's basically unlimited. That's how skilled these kids are.
And some of these kids actually, they really didn't do necessarily bad things or things that they thought would be bad.
But as a result, you know, the police, the fuzz, or whatever they're called in the UK, because this is a UK initiative sponsored by the National Crime Agency.
They have been tracking these kids for a while, and instead of arresting them, they have taken this progressive and innovative approach, I think, and they're putting them into these camps, this weekend camp for offenders, the first of which was held in Bristol this month.
Sounds like a nice sunshine name for something not very fun, a weekend camp.
But yeah, it's better than 10 days in a detention center. But they're learning about responsible use of cyber skills. They're getting advice about careers.
So they're learning how to hone their skills and use them for good rather than for bad. Exactly. And the idea—
Oh, they're not going to jail.
How old are these kids?
These kids are young. They're middle school age kids, and these kids started when they were very young.
Certainly their computer skills, as you both might know, are a little more advanced than mine, and shockingly.
Certainly their computer skills, as you both might know, are a little more advanced than mine, and shockingly.
Yes, I think that's probably true of all of us, really.
Well, no, but in particular, you're probably right. But either way, these kids started young and they got hooked on it, much like kids get hooked on other things.
In this case, they were drawn into making malicious code, making their own exploits. From there, their curiosity was piqued by doing more and more of this.
But once again, the fact that they're not being sent to jail, you can look at this as maybe a more pleasant weekend reform school.
In this case, they were drawn into making malicious code, making their own exploits. From there, their curiosity was piqued by doing more and more of this.
But once again, the fact that they're not being sent to jail, you can look at this as maybe a more pleasant weekend reform school.
Well, yeah. I mean, for instance, I haven't been to rehab, let me stress that. But I've been sent on these speed awareness courses.
Oh, I've had one of those, yeah.
And I'd rather do that than get the fine or the points on my driving license or something.
We should explain how it works. We should explain how it works.
Yes.
The speed awareness course.
So what happens in the UK is there are lots of speed cameras everywhere, and if you drive too fast or if you're driving the wrong speed in the wrong area, you get your photograph taken, you get the letter through the post saying we're going to add points to your license.
And once you reach a certain number of points, you lose your driving license.
And once you reach a certain number of points, you lose your driving license.
Exactly. Yeah.
So you don't want that to happen.
And so what they do is they say, okay, rather than give you points this time, we're going to send you with a bunch of other reprobates on a 3-hour course where you'll be shown videos and you'll have discussions about driving and all the rest of it.
And, you know, they are quite interesting. You learn things which you forgot because it's a long time since you took your driving test.
But they are something rather to be endured, aren't they?
And so what they do is they say, okay, rather than give you points this time, we're going to send you with a bunch of other reprobates on a 3-hour course where you'll be shown videos and you'll have discussions about driving and all the rest of it.
And, you know, they are quite interesting. You learn things which you forgot because it's a long time since you took your driving test.
But they are something rather to be endured, aren't they?
Totally. Especially when I got caught and I was going 2 miles above the speed limit and I had to go on a speed awareness course.
And it's funny, I mean, of course they have to draw the line somewhere, but somehow when you're so close to it, you just think, God, guys, come on.
And it's funny, I mean, of course they have to draw the line somewhere, but somehow when you're so close to it, you just think, God, guys, come on.
So, yeah, yeah, yeah.
So this is like that speed awareness.
It is a little bit.
But at the same time, this is something which, you know, if they have— so I don't really have an interest in driving, but these guys do have an interest in computer security.
They have been maybe defacing websites or launching DDoS attacks and doing naughty things like that. So they're interested in this stuff.
Maybe this is an avenue through which they could see an opportunity.
To use those skills or some of the things which they've learned about computer security in order to build a career, to make some money in the future rather than going the malicious route.
And this way they won't end up in jail. I mean, it seems quite a sensible thing to me to be given that opportunity.
And I wonder actually if the authorities and the like of GCHQ may monitor these meetings and think, yeah, we've got a really talented guy here, maybe he could come and work for us and do some stuff for us as well.
But at the same time, this is something which, you know, if they have— so I don't really have an interest in driving, but these guys do have an interest in computer security.
They have been maybe defacing websites or launching DDoS attacks and doing naughty things like that. So they're interested in this stuff.
Maybe this is an avenue through which they could see an opportunity.
To use those skills or some of the things which they've learned about computer security in order to build a career, to make some money in the future rather than going the malicious route.
And this way they won't end up in jail. I mean, it seems quite a sensible thing to me to be given that opportunity.
And I wonder actually if the authorities and the like of GCHQ may monitor these meetings and think, yeah, we've got a really talented guy here, maybe he could come and work for us and do some stuff for us as well.
It could be a great recruiting tool.
Yeah, I do think that. I think it's exposure.
I mean, I went to University of Waterloo and I worked through my university degree, so I would go 4 months to university and I would do 4 months in office or, you know, whatever, doing different jobs every 4 months.
And it helped pay for my university, but it also gave me really nice young access to, you know, knowing how to be.
I mean, I went to University of Waterloo and I worked through my university degree, so I would go 4 months to university and I would do 4 months in office or, you know, whatever, doing different jobs every 4 months.
And it helped pay for my university, but it also gave me really nice young access to, you know, knowing how to be.
So one of the things with this program and some of these programs, I don't know what they have in the UK, but in the States, at least for those of us when we were in high school, they had these scared straight programs.
So they would send us to detention centers, unlike the one in Xinjiang, and we would meet with these people, these criminals who were on their way to being reformed, and they would literally scare us straight.
So they would send us to detention centers, unlike the one in Xinjiang, and we would meet with these people, these criminals who were on their way to being reformed, and they would literally scare us straight.
Oh, I see, scared straight that way. I'm sorry, Dan, I was thinking of something else.
Oh, no, no, no, no, yes, no, no, no, no.
No, no.
Yes, no, it's—
I don't think you can fix that, Dan. I think you're born with it, actually.
I think you are as well. In this case, so scared, yes, the straight and narrow. Yes. But no, I do agree with your other point though as well.
And of course, in this situation, you're going to have these reformed hackers, these black hats becoming white hats who are actually mentors to some of these kids.
So it's a win-win.
And of course, in this situation, you're going to have these reformed hackers, these black hats becoming white hats who are actually mentors to some of these kids.
So it's a win-win.
Okay. Well, I suppose we have to do something. We can't always just hit everybody. I mean, prison frankly is not the answer for everything, is it?
I think, you know, young people make mistakes.
And, you know, people will do things which get themselves into trouble, and it would be nice to think that they had some route for fixing themselves and getting some good of it.
What I don't like is when sometimes there are people who've become notorious through hacking, for instance, and they've actually built a career based upon the fact that they did bad stuff, and there are other people who kept on the straight and narrow right from the beginning, developed their own sense of morality and ethics.
And, you know, sometimes I really dislike the way that some of the hackers are applauded.
I think, you know, young people make mistakes.
And, you know, people will do things which get themselves into trouble, and it would be nice to think that they had some route for fixing themselves and getting some good of it.
What I don't like is when sometimes there are people who've become notorious through hacking, for instance, and they've actually built a career based upon the fact that they did bad stuff, and there are other people who kept on the straight and narrow right from the beginning, developed their own sense of morality and ethics.
And, you know, sometimes I really dislike the way that some of the hackers are applauded.
Yeah, almost rewarded. Rewarded for their— Yeah, I agree.
I do think that's a bit of a problem because we should really celebrate those that stay on the straight and narrow and, you know, don't need to learn a lesson.
I do think that's a bit of a problem because we should really celebrate those that stay on the straight and narrow and, you know, don't need to learn a lesson.
But rehab, yeah, I guess we've got to have that, haven't we? And so—
Makes sense.
Good to see that happening.
And good luck to them.
Yeah.
So Carole, have you ever been on rehab or anything in particular you'd like to talk about on the show?
No, thank you. I've never been on rehab.
Yeah, sure.
How embarrassing if I had, you know?
You probably wouldn't admit it.
Let me talk about my topic.
Go on.
So, on Tuesday, I was reading that iRobot CEO, Colin Engel, hopes indoor mapping data collected by Roomba automatic vacuum cleaning machines can be sold. Did you understand that?
Okay, so—
Okay, so—
Okay, so you mentioned the Roomba, that's the robot vacuum cleaner thing, isn't it? Looks like a Dalek.
Exactly. I coughed up my muesli here as well. So, this is talking about vacuums, little Roombas, those little automatic smart vacuums that go around.
And back in 2015, you might remember that Wi-Fi-friendly Roombas came out on the market.
And the whole idea was that they'd have sensors that spontaneously adjusted cleaning patterns based if you basically moved furniture or left stuff lying around.
And all this time you're thinking, oh, well, that's very useful. Thank you so much. But actually it was basically collecting and parsing the data on our flipping homes.
So, floor plans, room dimension, furniture layout, basically the shape of everything on the floor, how often you clean, how dirty your house is, whether you have parquet or carpet, all this information can be collected via the Roomba.
And that's what it's been doing since 2015.
And back in 2015, you might remember that Wi-Fi-friendly Roombas came out on the market.
And the whole idea was that they'd have sensors that spontaneously adjusted cleaning patterns based if you basically moved furniture or left stuff lying around.
And all this time you're thinking, oh, well, that's very useful. Thank you so much. But actually it was basically collecting and parsing the data on our flipping homes.
So, floor plans, room dimension, furniture layout, basically the shape of everything on the floor, how often you clean, how dirty your house is, whether you have parquet or carpet, all this information can be collected via the Roomba.
And that's what it's been doing since 2015.
Oh, so this is a bit like Google Street View. Kind of. So, they've been going up and down roads and they've been mapping things.
They've been mapping things with Wi-Fi and obviously taking photographs. The Roomba doesn't take photographs, but it's learning about the layout of your house.
They've been mapping things with Wi-Fi and obviously taking photographs. The Roomba doesn't take photographs, but it's learning about the layout of your house.
Exactly. And it's been doing so. And I'm sure in the small print, that caveat was definitely taken care of.
But you know, you're thinking while these things are actually just there to collect pet hair and dirt, it's actually been spying and collecting info on our houses.
But you know, you're thinking while these things are actually just there to collect pet hair and dirt, it's actually been spying and collecting info on our houses.
But hang on, seriously, what use would the information be about whether I had a big beanbag in the front room or something like that?
Graham, I thought exactly the same thing. I was thinking, why would that be useful, right?
I was thinking, okay, well, maybe it'd be useful for furniture advertisers who could assure you that new sofa would fit through the doors or fit inside the room, right?
Because they'd have the dimensions.
Or maybe smart thermometers could have preset controls specifically for the house spec, you know, for the size of the house and that kind of thing.
Maybe your sound system could use the spatial mapping, you know, to improve the audio quality. So those are the things I'd come up with on this.
I was thinking, okay, well, maybe it'd be useful for furniture advertisers who could assure you that new sofa would fit through the doors or fit inside the room, right?
Because they'd have the dimensions.
Or maybe smart thermometers could have preset controls specifically for the house spec, you know, for the size of the house and that kind of thing.
Maybe your sound system could use the spatial mapping, you know, to improve the audio quality. So those are the things I'd come up with on this.
Yes. Be handy for burglars as well, I imagine. Well, that's what I'd ask. If there were any traps or something, you know, that you'd laid for them.
They're, hey, look, there's a back door.
Will it sense traps?
Well, I'm just waiting for the Roomba to have a little video camera on it and a microphone as it goes around.
You know, it could actually just increase and be able to take pictures of everything around to help you with, you know, your pictures on the wall, decide where they're going to go and how big they should be.
You know, it could actually just increase and be able to take pictures of everything around to help you with, you know, your pictures on the wall, decide where they're going to go and how big they should be.
That could be quite handy though, if you've lost the remote control to your television. And the Roomba could say, I think I found it, it's down the back of here, you know.
If they have a feng shui part of them, I mean, I think that would be good.
So yeah, maybe they'll give you advice on room layout.
So the whole idea here is that CEO of iRobot is planning to sell this mapping info that he's been collecting for the last few years to one of the three big players.
So we're talking Amazon, Apple, or Google. Right.
So the whole idea here is that CEO of iRobot is planning to sell this mapping info that he's been collecting for the last few years to one of the three big players.
So we're talking Amazon, Apple, or Google. Right.
Yeah.
Now he does say he won't do this without customer permission, but he believes most people will give consent. To access smart home functions.
So all those things I was talking about earlier, thermometers and sound systems and the like, he thinks those are going to be sweet enough for people to say, yay, yay, yay, and share all their information of their house.
So all those things I was talking about earlier, thermometers and sound systems and the like, he thinks those are going to be sweet enough for people to say, yay, yay, yay, and share all their information of their house.
Okay, so here's my challenge for Mr. Roomba here, right? The CEO of the Roomba vacuum company.
I always imagine him doing a little cha-cha-cha when we say that.
Doing the Roomba. Here's my challenge. If he thinks this is such an attractive thing, if he thinks that people all think, oh yeah, I'd love that, I'd love that.
Leave the option turned off by default.
Leave the option turned off by default.
Yes.
And explain why this is so marvelous and why people should turn it on.
My guess is that when they eventually, they come around to doing this, they're going to turn it on by default because they know most people won't turn it on.
But if they really, really genuinely believe that this is something which people would want, turn it off by default and show us that that's the case.
My guess is that when they eventually, they come around to doing this, they're going to turn it on by default because they know most people won't turn it on.
But if they really, really genuinely believe that this is something which people would want, turn it off by default and show us that that's the case.
I just don't see the point of this. Sorry to interrupt. I think Mr. Angle's angle to use a really, really bad pun, seems pretty hokey. I'm sorry for being negative.
Well, he's looking to make some money, isn't he? And I mean, he's looking for some company which will find some sort of use of this and will do it. But it's—
Well, yeah. And the thing that, you know, I was looking around at what people were saying in comments on this article because I wanted to see what, you know, people thought.
And a lot of people were, oh, I don't know if I like this. You know, I'm not going to buy the next Roomba and I'm going to—
And a lot of people were, oh, I don't know if I like this. You know, I'm not going to buy the next Roomba and I'm going to—
Yeah.
And that was one of the ideas, are people going to choose cheaper, more private options for, I guess, their SmartVac, or maybe just a vacuum. I don't know. I know that sounds crazy.
Maybe just have a normal vacuum as opposed to wanting this, you know, this smart but more privacy intrusive option.
Maybe just have a normal vacuum as opposed to wanting this, you know, this smart but more privacy intrusive option.
I mean, one guy said online, and I agreed with this guy, this was on MacRumors.
He says, ethically, I have an issue with people attempting to collect data from devices I own to resell to others when it's not for my direct benefit.
And, you know, I agree with that. Yeah, you know, that's said in a nutshell.
He says, ethically, I have an issue with people attempting to collect data from devices I own to resell to others when it's not for my direct benefit.
And, you know, I agree with that. Yeah, you know, that's said in a nutshell.
So, you know. So take that, shove that up your Roomba.
Exactly. Well, I think our options here is when Roomba or iRobot get in touch with you and say, hey, you're cool with this, right? Think about it before you say yes.
Think about what you're allowing that data to go.
Think about what you're allowing that data to go.
It's gonna go to third parties. They might get sold. Read the small print is my recommendation.
Is this company's name really iRobot?
Yes, it really is.
It really is. Yeah. They're local to where I live, actually.
Are they?
They were iRobot before iRobot was iRobot.
Oh, really?
They really were.
Because all I can think of is Wiki Wiki Wa Wa, Will Smith, or whoever it is, fighting all those androids. And that didn't end well, did it?
Would you really want to name your company after that? It's like, I was in a hotel the other day, right? And it was a chain of hotels. They were called the Titanic Hotels.
Would you really want to name your company after that? It's like, I was in a hotel the other day, right? And it was a chain of hotels. They were called the Titanic Hotels.
Graham, what's your company named?
My company name? Yeah. Cluley Associates.
So Cluley Ass. Okay. Let's talk about fun names.
I think it's time to give a shout out to our sponsor. Let's find out who's sponsoring the show this week.
Hey, Graham.
Hey.
Do you know what one of the biggest headaches for IT admins is?
Ooh, tell me, tell me, hit me.
It's identifying, prioritizing, and managing vulnerabilities. Vulnerabilities and basically remediating these vulnerabilities.
All right.
Apparently it can be quite simple if you use InsightVM by Rapid7.
Free.
Yeah, you can build a vulnerability management program that works for you with InsightVM and you can get a free 30-day trial at rapid7.com. That's rapid7.com.
Awesome.
Back to the show.
Welcome back to the show. To what I think is probably our favorite point of the show. It's the point where we get to say it's time for Pick of the Week.
Pick of the Week.
Pick of the Week.
Dan, you have to say it just once.
Pick of the Week.
Hey, hey, there we go. Pick of the Week. Everyone chooses something which they like. Could be a funny story, book they read, TV show, movie, record, whatever it is, podcast.
Well, it doesn't have to be security related necessarily. But it can be if you want. Now, my pick of the week is this. I've got a sad story to tell you all. Oh, yes, another one.
As I mentioned, I've come away on a little trip. And just before I came away, my MacBook— well, it Mac broke.
Well, it doesn't have to be security related necessarily. But it can be if you want. Now, my pick of the week is this. I've got a sad story to tell you all. Oh, yes, another one.
As I mentioned, I've come away on a little trip. And just before I came away, my MacBook— well, it Mac broke.
Oh my God.
It completely went phut. And that was it.
You're going to call the episode this, aren't you?
No, no, it's not all about me for once, TM. No, my MacBook broke in a rather unpleasant way, and it was all very sad.
And I needed a computer quick, and I wanted a Mac because I had certain pieces of software I wanted to run, including to make this podcast.
And so I went out to very quickly buy one. So I went to the shop, and of course they only have these new god-awful MacBook Pros, which are all—
And I needed a computer quick, and I wanted a Mac because I had certain pieces of software I wanted to run, including to make this podcast.
And so I went out to very quickly buy one. So I went to the shop, and of course they only have these new god-awful MacBook Pros, which are all—
Well, you had a MacBook Pro before. You used to—
Well, it was. Those were the golden era of MacBook Pros. Now they've changed it all. They've changed the keyboard. They've taken away all the ports.
It's like, how can this be a professional device.
It's like, how can this be a professional device.
For posterity, can we have the numbers just for someone's listening to this in 3 years?
What do you mean the posterity?
Well, MacBook Pro now, how has it changed? How do I define this one over the last one?
So this particular one, which I have, has 2 USB ports, but not USB as you and I think of it. These are USB-C ports, which are, yeah, smaller. Different.
Well, they're supposedly faster, but basically you have to buy a whole bunch of dongles.
Well, they're supposedly faster, but basically you have to buy a whole bunch of dongles.
Exactly.
Right?
Mm-hmm.
And there's no mini DisplayPort, there's none of this, there's none of that, there's a headphone port. That's it. They haven't given me anything else.
So I've had to buy an array of dongles. So that annoys me to begin with.
So I've had to buy an array of dongles. So that annoys me to begin with.
Mm-hmm.
And they've got this new keyboard, which I think Apple have had for a couple of years now, and they've tried to make it better, but it's still not as good as the old one.
But the whole reason why all these features and ports have been taken away and the keyboard's been redesigned is because they want to make it thinner.
And as I think I've just said before, I don't want a device that's thinner. I just want a device with a better battery and blah, blah, blah, right?
But the whole reason why all these features and ports have been taken away and the keyboard's been redesigned is because they want to make it thinner.
And as I think I've just said before, I don't want a device that's thinner. I just want a device with a better battery and blah, blah, blah, right?
More staying power.
Can you say dongle one more time, please?
Yeah, how do you say it? Dongle?
I don't— it's a word that I rarely use, but I just love when other people use it.
Okay, all right. So there's many drawbacks of this thing, although it has a slightly faster CPU. Who cares, right? Because what I'm doing, I don't really need a fast CPU.
But anyway, grumble, grumble, grumble. Graham grumbling as usual.
But anyway, grumble, grumble, grumble. Graham grumbling as usual.
It's very unusual. It's very unusual for you to be complaining. So, you know, you crack on, you get on the soapbox, you deserve it. You've earned it.
So I am going to get to my pick of the week, right? This is just the preamble to my pick of the week.
Great.
Because one of the things, because it doesn't have its own little power port now, right? You power it through one of these USB-C ports, these tiny USB things.
And that means that one of the things Apple have removed is their MagSafe cable, because one of the great things about the old MacBooks was that if someone tripped over your power cable, the cable would just ping out of your laptop.
And that means that one of the things Apple have removed is their MagSafe cable, because one of the great things about the old MacBooks was that if someone tripped over your power cable, the cable would just ping out of your laptop.
Yes.
Without bringing your laptop crashing to the ground.
Yes.
And you losing $2,000 or whatever it is, right? So that was great. Well, they got rid of that.
Well, I guess they want to sell more laptops to those that trip over this cable.
So I, because I don't want to have to buy another laptop this year, I have acquired a special cable. It is called— yeah, it's called the Griffin BreakSafe Magnetic USB-C cable.
So it allows you to power your USB-C laptop, your MacBook Pro in my case.
You could also use it for a phone if you had a particularly heavy phablet or something and you wanted a cable that people wouldn't— weren't going to trip over.
And it basically replicates the MagSafe feature. So it will just flick out on a magnet if you want it to, which is terrific.
If you want to see a video of this in action, I saw iJustine, if you know her, on YouTube. She did a review. Many other people have as well. You can go and check out her review.
And she says, do you need it? No, you probably don't, but you probably want it. Is it worth the money? Probably not, to be honest, but I still bought it. It was about—
So it allows you to power your USB-C laptop, your MacBook Pro in my case.
You could also use it for a phone if you had a particularly heavy phablet or something and you wanted a cable that people wouldn't— weren't going to trip over.
And it basically replicates the MagSafe feature. So it will just flick out on a magnet if you want it to, which is terrific.
If you want to see a video of this in action, I saw iJustine, if you know her, on YouTube. She did a review. Many other people have as well. You can go and check out her review.
And she says, do you need it? No, you probably don't, but you probably want it. Is it worth the money? Probably not, to be honest, but I still bought it. It was about—
And you love it, don't you? I bet you love it.
Well, no, I don't have— just like all these dongles, I don't love it, but it's— having now got one of the ruddy laptops, I want to protect it.
And so I've had to go and spend even more money to get to replicate the functionality which MacBooks had 2 or 3 years ago. So that is my pick of the week.
Don't get that if you've got a MacBook Pro and don't allow your MacBook to be broken.
And so I've had to go and spend even more money to get to replicate the functionality which MacBooks had 2 or 3 years ago. So that is my pick of the week.
Don't get that if you've got a MacBook Pro and don't allow your MacBook to be broken.
I love dongles. Sorry.
Okay, Dan, what's your tip of the week?
Pick of the Week or Tip of the Week?
Oh, sorry, I forgot.
So it's funny, I was originally going to— my Tip of the Week or Pick of the Week was about a Bad Bunny, but I've switched it.
Oh, okay.
A lot of people in the States— I'm not sure how popular burritos are in Europe or in the UK for that matter, but we've heard of them. Have you heard of burritos?
You don't have as large a Mexican community as you do United States. So that could be part of— we have a lot of Indian and Chinese.
We have loads of Mexican places.
Do we?
Yes, go to London. We have about 4 in Oxford.
Really?
Yes, Graham just doesn't get out much.
Well, more than 135 diners got sick after eating at a very well-known chain in the States that might have outlets elsewhere called Chipotle, which is also the name of a spice that I enjoy.
They had a data breach recently as well, I think.
They've had some issues. They've had some stomach-churning issues.
Hehe.
Sorry. Yeah, and actually, this is not their first outbreak, but this is their most recent one. So more than 135 people contracted something called the norovirus.
If you don't know what norovirus is, it's pretty bad. Thanks to Wikipedia, I'm just gonna give you a couple of symptoms.
It's characterized by nausea, vomiting, not just diarrhea but watery diarrhea, and I thought that they were actually one and the same, abdominal pain, and in some cases loss of taste.
But on the plus side, it only lasts 2.5 days, and it's a very easy and quick— not an easy way, but a quick way to lose a lot of weight.
If you don't know what norovirus is, it's pretty bad. Thanks to Wikipedia, I'm just gonna give you a couple of symptoms.
It's characterized by nausea, vomiting, not just diarrhea but watery diarrhea, and I thought that they were actually one and the same, abdominal pain, and in some cases loss of taste.
But on the plus side, it only lasts 2.5 days, and it's a very easy and quick— not an easy way, but a quick way to lose a lot of weight.
You might actually have lost your sense of taste before you went to this place to buy the burritos.
There's a good chance, but think about it.
If you can lose weight— and I just snapped even though we're not on video— 2.5 days of just these symptoms, but you lose 10 pounds and it's beach season and I'm being vain right now.
If you can lose weight— and I just snapped even though we're not on video— 2.5 days of just these symptoms, but you lose 10 pounds and it's beach season and I'm being vain right now.
Dan, have you ever had this kind of thing? I haven't. It's the most horrible thing in the world.
It sounds pretty bad. If this were a detention center, it would be a Xinjiang detention center. That's what it's— it's actually known as the winter vomiting bug.
That's something else. But either way, I would tell people to abstain from burritos for the time being.
That's something else. But either way, I would tell people to abstain from burritos for the time being.
That's your pick of the week. That's your tip of the week.
Until they rectify the situation.
So your pick of the week is basically something like cheese sandwiches or something like that.
Anything but a burrito.
Anything apart from burritos. Burritos.
You can eat anything you want, just avoid burritos for the time being. You can eat cupcakes. I had cupcakes for lunch because I was avoiding burritos.
I was basically scared straight, and I just had cupcakes today, and I feel much better.
I was basically scared straight, and I just had cupcakes today, and I feel much better.
Well, thank you, Dan, for that. It's my pleasure. Pick of the week.
Yeah, abstain from burritos, the listening public, please.
I think it's a great pick of the week. I think it should be out there.
Oh, thank you, Carole.
Yeah, I can't wait to hear what your one's gonna be.
Oh, mine's a wacky one as well. So my one this week is all about the MS Paint drama. Did you read anything about that, you guys?
What's going on with MS Paint?
Yeah, so on Monday, The Guardian reported that MS Paint was to be canned, and this— they got this information from Microsoft support pages.
That said basically it was not gonna be in active development and might be removed from future releases. So the idea is that it was gonna be replaced with Microsoft Paint 3D, right?
That said basically it was not gonna be in active development and might be removed from future releases. So the idea is that it was gonna be replaced with Microsoft Paint 3D, right?
Uh.
What?
3D? Yeah, so yeah.
And people weren't happy and thousands of people started posting Microsoft Paint images on Twitter and other social media sites, doing RIPaint and basically mourning the demise of MS Paint.
And it's great, it's worth going to look at it because there's some really good ones there. But it turns out the press got it a bit wrong.
Microsoft are not actually killing MS Paint, but they're moving it away from the default install to the Windows Store. So basically what's happened is it's lost its default status.
And people weren't happy and thousands of people started posting Microsoft Paint images on Twitter and other social media sites, doing RIPaint and basically mourning the demise of MS Paint.
And it's great, it's worth going to look at it because there's some really good ones there. But it turns out the press got it a bit wrong.
Microsoft are not actually killing MS Paint, but they're moving it away from the default install to the Windows Store. So basically what's happened is it's lost its default status.
And so why have they done that?
Well, because they want to, I guess they want to have people use this Microsoft Paint 3D. It has more features, it's better, it's cooler, so they say.
Now, obviously everyone knows I'm a big Luddite on the show and I love the fact that it has just what you need to do things.
Now, I'm not actually a Microsoft Paint user anymore, but I have one big reason why I do not want it to die.
And my tip of the week is for everyone to go visit this website because it is worth it. I want everyone to go see jimmelpaintit.tumblr.com.
This is a wonderful blog consisting of mostly humorous and surreal artwork painted by Murray using only MS Paint, and he does this by request from Tumblr users.
So he's been doing this for years.
I'm gonna give you an example of one that he's drawn: "Dear Jim, he'll paint it, please can you paint Trump, Pence, and William Pryor in drag on RuPaul-esque drag show with Obama Mama is RuPaul telling them to sashay away." So that will be a very typical challenge that will be given to Jim Will Paint It.
And look, I've sent you guys the pic of what he actually created from that. So you guys could see it and maybe explain it - MS Paint, right? MS Paint.
Now, obviously everyone knows I'm a big Luddite on the show and I love the fact that it has just what you need to do things.
Now, I'm not actually a Microsoft Paint user anymore, but I have one big reason why I do not want it to die.
And my tip of the week is for everyone to go visit this website because it is worth it. I want everyone to go see jimmelpaintit.tumblr.com.
This is a wonderful blog consisting of mostly humorous and surreal artwork painted by Murray using only MS Paint, and he does this by request from Tumblr users.
So he's been doing this for years.
I'm gonna give you an example of one that he's drawn: "Dear Jim, he'll paint it, please can you paint Trump, Pence, and William Pryor in drag on RuPaul-esque drag show with Obama Mama is RuPaul telling them to sashay away." So that will be a very typical challenge that will be given to Jim Will Paint It.
And look, I've sent you guys the pic of what he actually created from that. So you guys could see it and maybe explain it - MS Paint, right? MS Paint.
This is unbelievable because MS Paint is really quite rudimentary, but this is a fantastic picture.
It is a fantastic website. It is great fun if you need to waste a few minutes just to revitalise your faith in humanity's silliness - this is the place to go.
I love it, I love it. So Jim will paint it.
Jim will, yep, Jim Will Paint It. Just check the show notes if you want to have a quick link to it.
Fantastic. Well, Carole, well, Dan, thank you very much. That just about wraps it up. Thanks for tuning in.
All that remains to be said is that if you enjoyed the show, you should tell your friends.
All that remains to be said is that if you enjoyed the show, you should tell your friends.
Yes.
And you should tell the world, shouldn't you, Carole? And what's the best way? What's the best way they can tell the world, Carole?
Look, it's true that if you give us a review and you give us a good star rating, more people can find us. And if more people can find us, we can make more shows.
So it's all this big machine that we ask, we beg, if you do like us, tell us. Okay, Graham, is that good?
So it's all this big machine that we ask, we beg, if you do like us, tell us. Okay, Graham, is that good?
That was pretty good, yep.
Go to iTunes or Stitcher or something like that and say that you like the show and then more people might find out about it and then we'll carry on doing these episodes.
And to find out about some of our past episodes, you can go to www.smashingsecurity.com and drop us a line there or follow us on Twitter @SmashInSecurity.
No G, no G on that on Twitter. But until next time, Dan, thank you very much.
Go to iTunes or Stitcher or something like that and say that you like the show and then more people might find out about it and then we'll carry on doing these episodes.
And to find out about some of our past episodes, you can go to www.smashingsecurity.com and drop us a line there or follow us on Twitter @SmashInSecurity.
No G, no G on that on Twitter. But until next time, Dan, thank you very much.
Graham Cluley, my pleasure. I loved it, thank you.
Smashing Security. And until next time, bye-bye, toodaloo, bye.
I thought it was all right. You know, it was all right.
Show notes:
Please check out the show notes for this episode of the podcast on the Smashing Security webpage.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
Dan Ring
Thanks to our sponsor:
This episode of Smashing Security is made possible by the generous support of Rapid7.
Identifying, prioritizing and managing vulnerabilities all the way through to remediation is not only possible, it can be simple. Right now.
Build a vulnerability management program that works for you with Insight VM, by Rapid7. Get started with your free 30 day trial at www.rapid7.com
Follow the show:
Follow the show on Bluesky at @smashingsecurity.com, or visit our website for more episodes.
Remember: Subscribe on iTunes or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
I'll bet this is going to bee good. I like the first part of the title. I've never heard any one say, "Up the Roomba", before. They sure can say it now.
This house layout data could also be sold to the Peelers or the military, etc. to clamp down on anyone for anything.