Endangering your friends online, the fibs told by VPN vendors, developments from the world of cryptomining, and Carole shares an animated GIF with Mikko and Graham.
All this and much much more is discussed in the latest edition of the “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, who are joined this week by Mikko Hyppönen from F-Secure.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
The default is always going to be the one which the website wants you to choose, right? It's not what is necessarily best for you.
It's rarely what is best for you in terms of privacy and security.
It's rarely what is best for you in terms of privacy and security.
I know, but listen, if I go to my doctor, right, and my doctor says to me, "Carole, I advise that you do X," and I'm thinking in my head, "Well, I'm not a doctor.
I don't know as much as they do." You know, when Facebook came out, you were probably thinking, "Hey, they've got our best intentions.
They want to look after their users because we are their bread and butter." Okay, you give the analogy of walking into a doctor's office.
I don't know as much as they do." You know, when Facebook came out, you were probably thinking, "Hey, they've got our best intentions.
They want to look after their users because we are their bread and butter." Okay, you give the analogy of walking into a doctor's office.
I'd like to suggest don't walk into the doctor, walk into the abattoir instead, dressed up as a pig. All right?
And then say, "Where would you like me to sit?" Smashing Security, Episode 71: Ponytail Pundit Ponders Privacy Problems with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security, Episode 71. My name is Graham Cluley.
Hello, hello, and welcome to Smashing Security, Episode 71. My name is Graham Cluley.
I'm Carole Theriault.
And we're joined by our returning guest, a returning guest. It's Mikko Hypponen. Hello, Mikko.
Hello there. Yes, the returning guest. I'm happy to be here.
We've been practicing the pronunciation of your name so much that we've forgotten how to say the word guest. You're Chief Research Officer, is that right, at F-Secure?
That's right.
But I found another string to your bow. I was following you on Twitter and I heard you talk about a graphical adventure game that you wrote in the late 1980s.
True story.
On show in a museum.
Correct.
How cool is that?
It is the coolest thing. I'm actually really, really proud about this fact. I am in a museum.
I've been volunteering at the Internet Archive for two years now, collecting the malware museum and stuff like that.
But what's happening here now is that there's a real physical museum in the city of Tampere, which is the second largest city in Finland.
And the city museum has a separate permanent game museum, which is actually fairly large and fairly worth visiting.
And they renewed their exhibition and they added my game from 1987 into it.
I've been volunteering at the Internet Archive for two years now, collecting the malware museum and stuff like that.
But what's happening here now is that there's a real physical museum in the city of Tampere, which is the second largest city in Finland.
And the city museum has a separate permanent game museum, which is actually fairly large and fairly worth visiting.
And they renewed their exhibition and they added my game from 1987 into it.
Oh, did you do a really big fist pump when you heard the news?
I sort of did. I sort of did. We were really glad with my brother Ari. We wrote this game together on our Commodore 64 in 1987. Actually, we wrote a series of these games.
It's a series of 7 adventure games called Pajayutu.
It's a series of 7 adventure games called Pajayutu.
And I put that into Google Translate because I was curious as to what it meant. Now, Google Translate says it's tough shit. Is it rude?
What is it?
Google Translate says it's tough shit.
Is there a lot of poop in the game? There's a lot of blood. It's very violent, unfortunately. Yes, yes.
And I actually don't think they realized this when they archived it into the museum because you only see the bloody parts a little bit later on in the game.
And I actually don't think they realized this when they archived it into the museum because you only see the bloody parts a little bit later on in the game.
So you're not going to tell them? How much would they ever play it?
Well, you know, they have school groups coming over to see the history of games and, you know, and then—
Yes. Okay. We won't tell them. Nobody tell them.
Well, I think this is really cool because the weird thing is around about the same time I was writing adventure games as well.
And here we go. Here we go. I knew there'd be a way to get your stuff in.
No, but I never knew this about Mikko. It turns out that these games were distributed on the front of magazines, just like my games were in the UK.
And it's so bizarre that we both ended up in the world of antivirus.
And it's so bizarre that we both ended up in the world of antivirus.
Maybe you guys are twins separated at birth.
Yes, we are. We do look very similar. We do. Yep.
Moving on.
This episode of Smashing Security is sponsored by LastPass. LastPass Enterprise makes password security effortless for your organization.
LastPass Enterprise simplifies password management for companies of every size with the right tools to secure your business with centralized control of employee passwords and applications.
But LastPass isn't just for enterprises. It's an equally great solution for business teams, families, and single users.
Go to smashingsecurity.com/lastpass to see why LastPass is the trusted enterprise password manager of over 33,000 businesses.
LastPass Enterprise simplifies password management for companies of every size with the right tools to secure your business with centralized control of employee passwords and applications.
But LastPass isn't just for enterprises. It's an equally great solution for business teams, families, and single users.
Go to smashingsecurity.com/lastpass to see why LastPass is the trusted enterprise password manager of over 33,000 businesses.
And welcome back. Now, those of you who listened last week will know that we were talking about the shady practices of Facebook and Google.
Yes, big news, big news.
Cambridge Analytica, of course, who managed to get their paws on 50 million people's data after a couple of hundred thousand people took part in a Facebook personality quiz while running an app.
And the end result was that people's information without their knowledge or explicit permission ended up in other people's hands.
And the end result was that people's information without their knowledge or explicit permission ended up in other people's hands.
I would say, go listen to the episode. It's freely available from smashingsecurity.com.
It's free? For free.
No, and there's no gate and we don't need any personal information. So yay.
Oh, wow.
So if you haven't heard the episode, just to quickly summarize what would happen, if you were, for instance, a woman on Facebook, I don't know, name like Stormy Daniels, and you decided to run a third-party app, which didn't mind grabbing your friends' particulars, some of your friends might be fine with that, but your buddy David Dennison might be quite angry to find himself entangled within it all.
But before too long, it begins to happen. So what I want to talk about today ties in with this current Facebook and Cambridge Analytica debacle.
So if you haven't heard the episode, just to quickly summarize what would happen, if you were, for instance, a woman on Facebook, I don't know, name like Stormy Daniels, and you decided to run a third-party app, which didn't mind grabbing your friends' particulars, some of your friends might be fine with that, but your buddy David Dennison might be quite angry to find himself entangled within it all.
But before too long, it begins to happen. So what I want to talk about today ties in with this current Facebook and Cambridge Analytica debacle.
Okay.
But it goes much wider than that. Now everyone's been beating up on Facebook, maybe with good reason. There was a story which started spreading initially on Twitter.
A user called Matt Johnson tweeted, oh wow, I've just deleted my Facebook account and I downloaded a zip of all my data.
Contains info on every single phone, cell phone call, and text. Totally not creepy at all is the implication. And so lots of other people began to write about this.
Oh, you know, Facebook on Android has been scooping up all of this information without people's knowledge.
And the truth was rather different because Facebook did actually tell you it was going to do this.
Rightly or wrongly, it was pushing people towards uploading continuously information about their contacts.
A user called Matt Johnson tweeted, oh wow, I've just deleted my Facebook account and I downloaded a zip of all my data.
Contains info on every single phone, cell phone call, and text. Totally not creepy at all is the implication. And so lots of other people began to write about this.
Oh, you know, Facebook on Android has been scooping up all of this information without people's knowledge.
And the truth was rather different because Facebook did actually tell you it was going to do this.
Rightly or wrongly, it was pushing people towards uploading continuously information about their contacts.
But they encouraged people to do this, right?
Oh yes.
They wanted the info.
And they said that, you know, doing this would make Facebook Messenger a more pleasant experience, be more helpful to you.
And of course, you know, the big blue button is on turn on and, you know, the subdued option is to not now or to skip this or whatever, but many people were doing this.
So it wasn't completely true that people had got themselves into this mess without thinking necessarily, but the implications were quite significant.
And what concerns me about this, is over and over again, we are seeing people making decisions about other people's privacy.
Imagine, Carole, that my phone number is on your phone, right? Because I'm one of your biggest buddies.
And of course, you know, the big blue button is on turn on and, you know, the subdued option is to not now or to skip this or whatever, but many people were doing this.
So it wasn't completely true that people had got themselves into this mess without thinking necessarily, but the implications were quite significant.
And what concerns me about this, is over and over again, we are seeing people making decisions about other people's privacy.
Imagine, Carole, that my phone number is on your phone, right? Because I'm one of your biggest buddies.
Lucky guy.
Yeah. I'm someone who you regularly want to call or text, right? Every day.
Every day.
I could improve my day by chatting with Graham, you're thinking, right? And you go onto Facebook and you think, oh, that'd be really handy.
I wouldn't go on Facebook, but okay, but imagine, yeah.
Imagine you did. That'd be really handy. I'll just upload this. I'll let Facebook peruse all of my contacts, and then it's got my phone number, it's got my email address.
Now, why would I do that? I'm doing that because it makes my experience on Facebook better in some way, probably because I don't have to add people manually.
And the reason why you would do it is that this is the default. I mean, this is why people do it, and it's not just Facebook, it's all these. It's even Twitter.
They all defaults you to sending your contacts there forever.
And I've always been really angry about this default setting, because that means a very big part of normal users will end up doing exactly that.
They all defaults you to sending your contacts there forever.
And I've always been really angry about this default setting, because that means a very big part of normal users will end up doing exactly that.
And whenever they make these choices as to what the defaults are going to be, the default is always going to be the one which the website wants you to choose, right?
It's not what is necessarily best for you. It's rarely what is best for you in terms of privacy as well.
And so the majority of people will just go, yeah, yeah, yeah, click, click, click, click, click.
It's not what is necessarily best for you. It's rarely what is best for you in terms of privacy as well.
And so the majority of people will just go, yeah, yeah, yeah, click, click, click, click, click.
I know, but listen, if I go to my doctor, right? And my doctor says to me, "Carole, I advise that you do X." And I'm thinking in my head, well, I'm not a doctor.
I don't know as much as they do. I'm gonna trust them. And I think people have that mentality with technology companies.
You know, when Facebook came out, you were probably thinking, hey, they've got our best intentions. They wanna look after their users 'cause we are their bread and butter.
I don't know as much as they do. I'm gonna trust them. And I think people have that mentality with technology companies.
You know, when Facebook came out, you were probably thinking, hey, they've got our best intentions. They wanna look after their users 'cause we are their bread and butter.
Okay, you give the analogy of walking into a doctor. I'd like to suggest don't walk into the doctor, walk into the abattoir instead, dressed up as a pig, all right?
And then say, where would you like me to sit? Where would be the best place? Oh, over here.
And then say, where would you like me to sit? Where would be the best place? Oh, over here.
So you're saying the entire internet is an abattoir? Okay.
Not all of it, because sometimes you can walk into a restaurant, right? And then when you walk into a restaurant, you're not the meal that's being served.
Especially if you're vegetarian.
Well, you are the customer, right? Who hopefully is going to be served something delicious and you can choose what it is and you give them money in return. That's the difference.
Yeah. I don't think that people will look at the advice given by Mark Zuckerberg with the same eyes after this debacle.
No. Well, indeed, other companies though, they're not the only guys that are doing this. This is, you know, there's the next can of worms to be opened here.
No, I'm regularly, for instance, I have to go on LinkedIn.
You do have to?
Yes.
Well, I don't have to, but I've made it. I've made a commercial decision to go on LinkedIn to promote links to my website and to this podcast.
I've sold my soul to the devil and think, I will abuse thousands.
I've sold my soul to the devil and think, I will abuse thousands.
It's the law.
And you sold everyone. Yeah.
And well, no, I haven't, because what I haven't done is I haven't uploaded my contact address book. But every blinking day LinkedIn is saying, oh, wouldn't you like to do this?
It does do that, actually. Yeah.
Like, don't be a wussy. Come on, upload it. Come on, get it done already.
Like in that Facebook, in that Facebook offer of saying turn this on, the other option is not go away forever, but not now.
So that means they can constantly harass you and hopefully one day you'll just click the wrong button and boom, they've got it.
So that means they can constantly harass you and hopefully one day you'll just click the wrong button and boom, they've got it.
And then they've got you. And of course, even if you delete your data later, there's no promise necessarily that it's not too late.
And, you know, your friends are miffed as a result.
And, you know, your friends are miffed as a result.
Right.
However, there's one thing about this recording of phone calls and text messages that I'd like to emphasize as well, which was that if you were running a mobile app of Facebook on your phone, it would do this, but it would only be able to do it on Android, on iOS, even if you wanted to do it, I'm sure they wanted to do it on iOS as well.
They were not able to do it. And that's a good example.
However, there's one thing about this recording of phone calls and text messages that I'd like to emphasize as well, which was that if you were running a mobile app of Facebook on your phone, it would do this, but it would only be able to do it on Android, on iOS, even if you wanted to do it, I'm sure they wanted to do it on iOS as well.
They were not able to do it. And that's a good example.
Are you an iPhone user, Mikko?
Is that an OPSEC question?
I just want to know. I might be collecting this information for something I'd like to talk to you later.
Well, thank you for asking.
He's got some old Nokia. He's not going to give it away that easily. He probably just uses a walkie-talkie. He's on CB radio.
Of course he has an iPhone. Of course he does.
Maybe I am, maybe I am not.
But nevertheless, the point I'm trying to make here is that the business model of Google and business model of Apple might look similar, but they're actually completely different.
This is one of the examples.
But nevertheless, the point I'm trying to make here is that the business model of Google and business model of Apple might look similar, but they're actually completely different.
This is one of the examples.
Yeah. Apple is perfectly happy making lots of money out of you by charging you more for the hardware.
A lot more.
And they know they're going to make a significant cut out of the App Store as well. So there's lots of ways they're going to get you into the ecosystem.
You're going to love it or whatever. And then it's going to be hard to get away. But you know, that's how they're going to monetize.
Whereas Google is much more free and easy and open. It's like, hey, come on guys. And you think at first, oh, this is some hippie nirvana, but no, no, no, it's not.
While you're dancing around naked, enjoying the age of Aquarius, someone is, you know, got their graffiti and they're smearing you with advertising and all this.
You're going to love it or whatever. And then it's going to be hard to get away. But you know, that's how they're going to monetize.
Whereas Google is much more free and easy and open. It's like, hey, come on guys. And you think at first, oh, this is some hippie nirvana, but no, no, no, it's not.
While you're dancing around naked, enjoying the age of Aquarius, someone is, you know, got their graffiti and they're smearing you with advertising and all this.
But I bet, you know, at least 90% of the people that are in bed with Apple are also in bed with Google in some shape or form.
Well, they might be, yeah. Things like YouTube, you know, and—
It's hard to avoid. I actually tried living a life without Google maybe 3 years ago and turned out to be impossible.
I mean, you can replace some of the services with other services like Search and Maps, but you know, exactly the point of YouTube, like someone sent you a YouTube link.
What are you gonna do? You pretty much just have to go and watch it. There's no other option. It's just impossible.
And there's another point to make about people exposing their friends' privacy, which is the habit of tagging people on photos. One of my pet peeves. Yes, me too.
Don't tag other people in your photos unless you know they want to be tagged.
I mean, you can replace some of the services with other services like Search and Maps, but you know, exactly the point of YouTube, like someone sent you a YouTube link.
What are you gonna do? You pretty much just have to go and watch it. There's no other option. It's just impossible.
And there's another point to make about people exposing their friends' privacy, which is the habit of tagging people on photos. One of my pet peeves. Yes, me too.
Don't tag other people in your photos unless you know they want to be tagged.
Exactly. Get permission. I agree 100%.
Yeah, and I don't think people realize that, you know, they're doing it to be nice, but in fact it can be, you know, some people like me just really, really don't like that.
Yeah, and I don't think people realize that, you know, they're doing it to be nice, but in fact it can be, you know, some people like me just really, really don't like that.
And it just helps the great Facebook computer in the sky, doesn't it, learn much more about what we all look like, which potentially could be abused in future.
They're already beginning to use some of their deep learning and their machine learning.
They're already beginning to use some of their deep learning and their machine learning.
And I have, can I just run a weird theory past you guys?
Yes, go on.
Do you know these emojis, right, that do facial expressions?
So, you know, you can kind of load up a facial expression, it tags it onto an emoji, then you can send it to your friends and you look like a monkey that's surprised or whatever.
So, you know, you can kind of load up a facial expression, it tags it onto an emoji, then you can send it to your friends and you look like a monkey that's surprised or whatever.
Gormless.
Do you think this might be a way of collecting loads and loads of different facial expressions that normally aren't given in photos or in still shots?
Huh.
Just saying.
Carole, I hate the way you think. Yes, it could very well be. It actually, that would be really, really clever.
Yes, because there's so many expressions, you know, if you're looking confused or, you know, you'd be able to get all those pictures.
We're going to have to keep some facial expressions really, really private. I think, you know what I'm talking about.
If we keep those ones private, maybe those are the ones which we can use for the really important accounts to unlock them.
If we keep those ones private, maybe those are the ones which we can use for the really important accounts to unlock them.
Are you talking about not getting off on—
Oh, Carole, please. Oh, okay.
It's you. No, no, I thought that's what he was doing.
There's always someone who lowers the tone. When do we get complaints? Mikko, what's your topic for us this week?
Well, I really want to speak a couple of things about how cryptocurrencies are shaping the infosec industry.
And I don't want to speak about ransomware at all because we all know how that problem works and what it's all about. But there's other stuff happening.
For example, the fact that we are seeing more traditional hacks and traditional phishing moving from the old targets of banks and PayPal and online stores into targeting cryptocurrency exchanges and crypto users.
And this makes perfect sense from the point of view of the attackers.
I mean, you look at the typical cryptocurrency exchange, these are new companies, they are startups, they have of 20 people, then what?
But with the current sky-high valuations of all these cryptocurrencies, that startup of 20 guys might be sitting on top of billions of pounds or billions of dollars.
That's a very good target. These guys don't have dedicated security teams and they have these massive amounts of money.
And I don't want to speak about ransomware at all because we all know how that problem works and what it's all about. But there's other stuff happening.
For example, the fact that we are seeing more traditional hacks and traditional phishing moving from the old targets of banks and PayPal and online stores into targeting cryptocurrency exchanges and crypto users.
And this makes perfect sense from the point of view of the attackers.
I mean, you look at the typical cryptocurrency exchange, these are new companies, they are startups, they have of 20 people, then what?
But with the current sky-high valuations of all these cryptocurrencies, that startup of 20 guys might be sitting on top of billions of pounds or billions of dollars.
That's a very good target. These guys don't have dedicated security teams and they have these massive amounts of money.
Yeah, there's no framework in place, there's nothing. Yeah, interesting.
Exactly.
And this is one of the reasons why we see all these Twitter phishing accounts mimicking Elon Musk and cryptocurrency investors and trying to get people to send Ethereum out.
This is the reason why we're seeing more and more cryptocurrency exchanges getting hacked.
And then there's the third trend on how cryptocurrencies are shaping InfoSec landscape, which is rogue mining.
And this is fascinating because the first botnet that I saw, which was doing mining for cryptocurrencies was already in the end of 2011. So Bitcoin was two years old.
Nobody really had heard about it yet. And we already had the first botnets which were trying to mine for bitcoins on CPUs of infected PCs, which today would be impossible.
But at the time it was sort of doable.
And this is one of the reasons why we see all these Twitter phishing accounts mimicking Elon Musk and cryptocurrency investors and trying to get people to send Ethereum out.
This is the reason why we're seeing more and more cryptocurrency exchanges getting hacked.
And then there's the third trend on how cryptocurrencies are shaping InfoSec landscape, which is rogue mining.
And this is fascinating because the first botnet that I saw, which was doing mining for cryptocurrencies was already in the end of 2011. So Bitcoin was two years old.
Nobody really had heard about it yet. And we already had the first botnets which were trying to mine for bitcoins on CPUs of infected PCs, which today would be impossible.
But at the time it was sort of doable.
I was just gonna ask you what you thought about, I guess, legal mining in a way where someone gives permission for their computer to be mined in order to access articles or access services on a site.
I find this idea fascinating.
There's something in this idea that I can't exactly put my finger on, but there's something we will see, some interesting developments coming out of this space.
Users volunteering their CPUs to be monetized for services. And it wouldn't have to be mining for cryptocurrencies, it could be something completely different.
But the idea that with these new powerful JavaScript compilers that browsers like Chrome have, you can actually outsource computing and storage to your users.
So it's an interesting idea. But right now when we look at what we are seeing in our labs at F-Secure, well, we're seeing tons of cryptojacking.
10 years ago, if somebody would hack a mainstream website, what they would do would be a defacement. They would delete the front page and replace it with—
There's something in this idea that I can't exactly put my finger on, but there's something we will see, some interesting developments coming out of this space.
Users volunteering their CPUs to be monetized for services. And it wouldn't have to be mining for cryptocurrencies, it could be something completely different.
But the idea that with these new powerful JavaScript compilers that browsers like Chrome have, you can actually outsource computing and storage to your users.
So it's an interesting idea. But right now when we look at what we are seeing in our labs at F-Secure, well, we're seeing tons of cryptojacking.
10 years ago, if somebody would hack a mainstream website, what they would do would be a defacement. They would delete the front page and replace it with—
Screw you. Yeah, exactly.
Yes.
Yeah.
And then 5 years ago when criminals would hack a mainstream website, they wouldn't do that. They would actually install an exploit which would target your Flash and Java.
And today they wouldn't do that either because nobody runs Flash and Java anymore.
Today they would add a cryptojacking JavaScript extension, which then would start monetizing your CPU by mining for, typically, Monero.
And today they wouldn't do that either because nobody runs Flash and Java anymore.
Today they would add a cryptojacking JavaScript extension, which then would start monetizing your CPU by mining for, typically, Monero.
But so this is happening when potentially a user is visiting a new webpage and that webpage tries to use the power of that person's computer in order to mine crypto.
Exactly. And the point here, what makes it bad is that the user has no idea. There's no explanation, there's no warning. It's done by a hacker, it's not done by the site itself.
It's being done from the site because they got hacked.
It's being done from the site because they got hacked.
The only thing you might notice is if your fan starts going off, your computer begins to slow down. But mind you, I find Chrome is getting slower and slower anyway.
I'm finding it more painful experience going into it. But that seems to be the greed of the crypto miners themselves is sometimes they go for it too much, don't they?
They're too greedy.
I'm finding it more painful experience going into it. But that seems to be the greed of the crypto miners themselves is sometimes they go for it too much, don't they?
They're too greedy.
Well, I'm worrying about those people like me who often work with maybe 20 or 30 tabs open on a browser session, and then maybe I'll leave them overnight.
My machine would just be whirring away and they're like, I'm the big cash cow, 'cause they're connected the entire time.
My machine would just be whirring away and they're like, I'm the big cash cow, 'cause they're connected the entire time.
If your laptop is sleeping, it won't be mining, but if you leave it running, yeah, that's perfectly possible.
And if the mining script is done right, it doesn't actually have to take 99% of your CPU. It can actually just take 10% and they would maybe still be able to make money.
And this has become a bigger and bigger problem. At least 10 different competing crypto checkers. I guess Coinhive, BroMiner, and JSCoin are the biggest, but there's tons of others.
DeepMiner, CoinAim, Project POI, others that we're seeing, especially GSCoin is interesting because they are not mining for Monero, which is what most of the others are mining.
They actually have their own token, they have their own coin, which you can only mine with JavaScript. There's no other way of mining this except with JavaScript.
And if the mining script is done right, it doesn't actually have to take 99% of your CPU. It can actually just take 10% and they would maybe still be able to make money.
And this has become a bigger and bigger problem. At least 10 different competing crypto checkers. I guess Coinhive, BroMiner, and JSCoin are the biggest, but there's tons of others.
DeepMiner, CoinAim, Project POI, others that we're seeing, especially GSCoin is interesting because they are not mining for Monero, which is what most of the others are mining.
They actually have their own token, they have their own coin, which you can only mine with JavaScript. There's no other way of mining this except with JavaScript.
And this code can by itself be legitimate as Carole and you've just discussed.
You know, it is possible for websites to make this as a business decision and say, look, in order to fund our website, this is what we're going to do.
And so I'm wondering, how are antivirus products like yours handling this?
Are you now beginning to detect these miners themselves and say, look, this is potentially unwanted code on this web page.
You have to decide if you want to allow it to run or not, just as you would with a traditional application.
You know, it is possible for websites to make this as a business decision and say, look, in order to fund our website, this is what we're going to do.
And so I'm wondering, how are antivirus products like yours handling this?
Are you now beginning to detect these miners themselves and say, look, this is potentially unwanted code on this web page.
You have to decide if you want to allow it to run or not, just as you would with a traditional application.
And that's exactly what we're doing. We are detecting these now as coin miners.
And I'm not actually that happy about this because it seems like we're throwing away the baby with the bathwater because as we just discussed, there could be beneficial good uses where people actually would prefer to volunteer their CPU time instead of paying with money or paying with ads or paying with profiling.
But right now that's what we are doing. And there's a great article published by Brian Krebs about how I suppose the largest operation in this space works right now. That's CoinHive.
So he has a great article about who exactly are the people behind the CoinHive operation. Link to show notes for Brian's article.
And I'm not actually that happy about this because it seems like we're throwing away the baby with the bathwater because as we just discussed, there could be beneficial good uses where people actually would prefer to volunteer their CPU time instead of paying with money or paying with ads or paying with profiling.
But right now that's what we are doing. And there's a great article published by Brian Krebs about how I suppose the largest operation in this space works right now. That's CoinHive.
So he has a great article about who exactly are the people behind the CoinHive operation. Link to show notes for Brian's article.
And some of them have a very shady background. It's quite extraordinary when you read that article.
Hey, wouldn't it be cool though, if we could somehow get an MP3 to mine for coins while people listen? So just listen.
Hey, wouldn't it be cool though, if we could somehow get an MP3 to mine for coins while people listen? So just listen.
Stop it now.
Carole, what's your story for us this week?
Well, anyone who has listened to the Smashing Security podcast knows that Graham and I often advocate the use of VPNs.
I'm sure Mikko would agree that the use of VPNs is a good idea.
I'm sure Mikko would agree that the use of VPNs is a good idea.
I would.
Now, a VPN obviously is designed to effectively give you additional privacy by cloaking your identity or your activities, your geographic location, your IP address, that sort of stuff.
And loads of people use VPNs for video streaming outside their authorized region, right?
So they might use it to maintain extra privacy when they're on an unprotected Wi-Fi network, just to keep prying eyes at bay.
And loads of people use VPNs for video streaming outside their authorized region, right?
So they might use it to maintain extra privacy when they're on an unprotected Wi-Fi network, just to keep prying eyes at bay.
Right. I actually use this all the time to watch the Finnish BBC, which is the Finnish Yle radio, our broadcasting company.
They only let you stream news and stuff if you're in Finland, and I'm quite often not in Finland. So I enable a VPN and I watch news from my local TV station over a VPN.
They only let you stream news and stuff if you're in Finland, and I'm quite often not in Finland. So I enable a VPN and I watch news from my local TV station over a VPN.
I love to catch up on Finnish news as well.
Because they're always, yeah, they're always in the sauna, aren't they?
Yes. Full disclosure, I also sometimes watch Top Gear from the BBC iPlayer. Even though I'm not supposed to, am I?
Outrageous.
Well, Mikko, I know you know a lot about VPNs, and I'm glad you're here today, 'cause I really want your insight on this story.
So right now, in light of the Facebook snafus, you know, we're not only just tweaking settings and deleting apps, but a lot of us are considering, hey, maybe, you know, if I'm not using VPN, I maybe should.
And according to the Next Web, it's a booming business. They say by 2019, worldwide demand is going to hit approximately $70 billion, up from $45 billion in 2014.
That's nice growth in 5 years. So it's no surprise to us that work in the cybersecurity industry, however, that not all VPNs are created equal. Would you agree, Mikko?
So right now, in light of the Facebook snafus, you know, we're not only just tweaking settings and deleting apps, but a lot of us are considering, hey, maybe, you know, if I'm not using VPN, I maybe should.
And according to the Next Web, it's a booming business. They say by 2019, worldwide demand is going to hit approximately $70 billion, up from $45 billion in 2014.
That's nice growth in 5 years. So it's no surprise to us that work in the cybersecurity industry, however, that not all VPNs are created equal. Would you agree, Mikko?
I would agree indeed.
If you look at our business with VPNs in F-Secure, we've been having a mobile VPN for around 5 years and it is our best-selling mobile product on both iOS and Android.
And the critical point is that when you are using a VPN, for example, on your phone or on your tablet, everything you do on that device gets rerouted through that VPN provider.
So in theory, that provider sees everything you do on that device. So you really have to trust your VPN provider.
If you look at our business with VPNs in F-Secure, we've been having a mobile VPN for around 5 years and it is our best-selling mobile product on both iOS and Android.
And the critical point is that when you are using a VPN, for example, on your phone or on your tablet, everything you do on that device gets rerouted through that VPN provider.
So in theory, that provider sees everything you do on that device. So you really have to trust your VPN provider.
I think that is very sage advice.
A recent article from thebestvpn.com, which claims to provide honest, in-depth, and transparent VPN reviews from real users, has published the results of a rather interesting case study.
So they looked at 115 VPNs available on the market today, and the author John Mason says that 26 of these collect log files from their paid users. Check out these stats.
So of these 26 VPNs they found to actually collect logged information, they say about 1 in 3 record personal details, 1 in 4 record IP address, more than half timestamp the connection and collate bandwidth info.
Half record what device type you're using at the time, and a whopping 9 out of 10 collect payment information.
A recent article from thebestvpn.com, which claims to provide honest, in-depth, and transparent VPN reviews from real users, has published the results of a rather interesting case study.
So they looked at 115 VPNs available on the market today, and the author John Mason says that 26 of these collect log files from their paid users. Check out these stats.
So of these 26 VPNs they found to actually collect logged information, they say about 1 in 3 record personal details, 1 in 4 record IP address, more than half timestamp the connection and collate bandwidth info.
Half record what device type you're using at the time, and a whopping 9 out of 10 collect payment information.
So they're collecting quite a lot of info. I mean, 1 in 4 recording your IP address, 1 in 3 recording your personal detail.
There's a fair amount of information there being collected, isn't there?
There's a fair amount of information there being collected, isn't there?
Yes. I mean, this is what you would expect from free or freemium products, which are trying to monetize themselves somehow. But it says— Facebook, that sort of thing. Yeah, yeah.
But this says it's about collecting log files from the paid users, which is just outrageous.
But this says it's about collecting log files from the paid users, which is just outrageous.
Now, here is the list of culprits from the bestvpn.com website. Do you recognize these names? Because I recognize quite a few and was surprised that they were listed here.
So this is a list of 26 VPNs and there are certainly some well-known names here.
Yes. And I'll put the link to this article so people can go see for themselves.
Not F-Secure's Mikko, you'll be pleased to hear. Otherwise you'd be—
Well, the fact is that we don't actually collect information. We don't collect logs. We don't know who our customers are. We have no information whatsoever.
I mean, to me, that's the point of a VPN. I mean, this is what you're trying to do when you install a VPN and it's quite disturbing it's not the case.
I mean, to me, that's the point of a VPN. I mean, this is what you're trying to do when you install a VPN and it's quite disturbing it's not the case.
It's important to note that the majority of VPNs tested here or looked at did not seem to break any of these covenants, right? So this is just the kind of bad 26.
So have they worked out which VPNs are telling porky pies?
I actually got in touch with the author to find out.
Okay.
And so he said, I found 100+ VPNs, including the most popular ones. I checked to see if anywhere on their webpages or sales pages said the word, we don't keep logs.
Did further digging into their privacy policies in terms of service page to find discrepancies and pointed them out.
Did further digging into their privacy policies in terms of service page to find discrepancies and pointed them out.
Oh, so they're sort of marketing themselves. So, hey, we don't keep logs, which is what you want from a VPN. Yes.
But when you actually read that thing, which nobody reads, the terms and conditions, the privacy policy, then you say, we do actually keep logs.
But when you actually read that thing, which nobody reads, the terms and conditions, the privacy policy, then you say, we do actually keep logs.
Well, it's in— so this, I found this the most staggering. Exactly. The web pages are saying we don't keep any logs, and in fact, they are.
So some of the problem I think has to do with sneaky wording to the uninitiated of, you know, in this world of, you know, agreements, terms of services and all this.
So when they say, for example, they do not log or record content, that doesn't necessarily mean that they're not connecting all the other stuff that Facebook's in hot water for, like your name or phone number, IP address, device type, timestamps, and all that metadata.
So some of the problem I think has to do with sneaky wording to the uninitiated of, you know, in this world of, you know, agreements, terms of services and all this.
So when they say, for example, they do not log or record content, that doesn't necessarily mean that they're not connecting all the other stuff that Facebook's in hot water for, like your name or phone number, IP address, device type, timestamps, and all that metadata.
Yes, the metadata.
So even if they don't know that you're going to Pornhub, for instance, they can determine that you connected from a particular IP address at a particular time, maybe.
And that might be enough information for law enforcement, for instance, or whoever, to determine there's a good chance that this was the user that we're interested in.
So even if they don't know that you're going to Pornhub, for instance, they can determine that you connected from a particular IP address at a particular time, maybe.
And that might be enough information for law enforcement, for instance, or whoever, to determine there's a good chance that this was the user that we're interested in.
I think a lot of people out there think, well, why would I use a VPN? I don't do anything illegal, right?
There's— I think there's a kind of a belief in most computer users that that's the only reason why you would use one. And I don't think that's very fair.
There's— I think there's a kind of a belief in most computer users that that's the only reason why you would use one. And I don't think that's very fair.
Yeah, especially in this time of Wi-Fi where we are using the local Starbucks Wi-Fi every day. And that means everyone else in the same Starbucks can see what you're doing online.
All the unencrypted stuff from your computer is visible to anyone else connected to the same Wi-Fi hotspot.
All the unencrypted stuff from your computer is visible to anyone else connected to the same Wi-Fi hotspot.
Exactly. So I have a bit of advice. I'm gonna give this advice and I'm gonna say, I'm gonna ask you Mikko to go, yes, I agree or don't agree. Okay. As a vendor.
So I would say, Look for recommended vendors. There's a lot of noise out there, and this is a hot market. So I say expect to see a lot of new vendors show up.
Some are gonna be great, but some are gonna also have ulterior motives. Read your terms and conditions carefully.
So I would say, Look for recommended vendors. There's a lot of noise out there, and this is a hot market. So I say expect to see a lot of new vendors show up.
Some are gonna be great, but some are gonna also have ulterior motives. Read your terms and conditions carefully.
Mm-hmm.
Absolutely.
Just because you pay for something doesn't mean that there's absolutely no tracking in it. So again, look at number 2, read your terms, conditions carefully.
And I say make friends with a legal eagle, right?
Honestly, some smart tech entrepreneur out there could create a legal privacy bot that could comb through these kind of documents and highlight areas of concern. I'd be in heaven.
And I say make friends with a legal eagle, right?
Honestly, some smart tech entrepreneur out there could create a legal privacy bot that could comb through these kind of documents and highlight areas of concern. I'd be in heaven.
But would you trust it?
If it was a bot, I probably would.
Would you?
Isn't that awful? I think I'm losing faith in humanity and I'm trusting the machines.
Yeah. I really feel bad for the guys who were doing this test for reading through the terms and conditions of so many different services. It must have been hell.
However, there is one great service I can plug here, which is called TL;DR Legal. Too Long, Did Not Read Legal. So TL;DR Legal.
They actually take terms and conditions of popular services and translate them into English. It's great.
For example, you look at YouTube terms and conditions, on TL;DR Legal, it's basically five sentences.
You know, you still own your video even though it's on our site, stuff like that. So highly recommend it.
However, there is one great service I can plug here, which is called TL;DR Legal. Too Long, Did Not Read Legal. So TL;DR Legal.
They actually take terms and conditions of popular services and translate them into English. It's great.
For example, you look at YouTube terms and conditions, on TL;DR Legal, it's basically five sentences.
You know, you still own your video even though it's on our site, stuff like that. So highly recommend it.
Thank you very much. I will look at that.
I don't think all these VPNs are there yet, but it is a great idea.
Oh, thanks. Thanks very much, Mikko. I was gonna have that as my pick of the week.
Cross that off my list now. So just, I'm going to put in the show notes other good resources to help you find reputable VPNs and information on how you can go about doing that.
But be careful, basically. Not everything is the same out there. Just because it says VPN doesn't mean this is good for me.
But be careful, basically. Not everything is the same out there. Just because it says VPN doesn't mean this is good for me.
Choose your vendors carefully. That's what I say, as always.
And if you're in any doubt, there have been cases of people who've been caught out, haven't they, by not having their VPN turned on.
We saw Guccifer 2.0, maybe identified as a Russian agent. And I think there was a member of the LulzSec gang as well, who was caught because he hadn't had his—
We saw Guccifer 2.0, maybe identified as a Russian agent. And I think there was a member of the LulzSec gang as well, who was caught because he hadn't had his—
Yeah, they just turned off their VPN at one point and that basically hoovered up all the information required by authorities to go and actually catch them.
So yeah. And it's also a great example of how security technology can be used by good people and it is being used by bad people as well. That's just the way it works.
And the fact that bad people can use security technology doesn't mean that we shouldn't allow good people to use it as well.
If we make any restrictions on using secure technology, if you make it illegal to use security, then only criminals will be able to use security.
And the fact that bad people can use security technology doesn't mean that we shouldn't allow good people to use it as well.
If we make any restrictions on using secure technology, if you make it illegal to use security, then only criminals will be able to use security.
This episode of Smashing Security is sponsored by LastPass. LastPass simplifies password management for companies of every size, but it isn't just for enterprises.
It's equally a great solution for business teams, families, and single users. Learn more at smashingsecurity.com/lastpass. And welcome back.
It's equally a great solution for business teams, families, and single users. Learn more at smashingsecurity.com/lastpass. And welcome back.
And you join us at our favorite time of the show, part of the show that we call Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, an app, a website, a podcast, whatever you like. Doesn't have to be security related.
Should never be, necessarily. So my Pick of the Week this week is quite good.
Actually, we've got Mikko here because he works with these chaps at the Internet Archive and I volunteer with them.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, an app, a website, a podcast, whatever you like. Doesn't have to be security related.
Should never be, necessarily. So my Pick of the Week this week is quite good.
Actually, we've got Mikko here because he works with these chaps at the Internet Archive and I volunteer with them.
Oh, you volunteer with them.
And I wanted to volunteer this Pick of the Week because they have recently introduced a new section of their archive. You remember those old handheld game consoles?
They're not the new Nintendo Switch. They had really crude graphics, simple gameplay. They just have one game on them, right? Really simple.
They're not the new Nintendo Switch. They had really crude graphics, simple gameplay. They just have one game on them, right? Really simple.
That was mid-'80s, right?
Yeah. You'd move a character, you know, it'd be left, right, or middle. That would be the depth of the game, you know. Kids today, they don't know that they're born.
We used to have to get up out of our shoebox in the middle of the night and lick the road clean with our tongues in order to play computer games. Do you hear the violins?
We used to have to get up out of our shoebox in the middle of the night and lick the road clean with our tongues in order to play computer games. Do you hear the violins?
Is this our version of walking to school for 3 miles to get an education? Yeah, basically. Right, okay. So yeah, we're all feeling sorry for the poor little old people.
Well, you know, I just think it's quite fun, isn't it?
And even if you don't want to show your kids, even if they're completely uninterested in this, you may get some nostalgia out of this.
And even if you don't want to show your kids, even if they're completely uninterested in this, you may get some nostalgia out of this.
I actually remember desoldering the beeper from my Nintendo Game & Watch Donkey Kong game so I could play it during school.
So there you go, kids. Just watch out. Study properly at school. Otherwise, you'll end up an antivirus expert.
You can now show your ungrateful kids just what you had to put up with because the Internet Archive has put a whole load of these games up for online play via an emulator.
You can play BurgerTime. Did you ever play Super Double Dragon or something that? Carole, do you remember stroking your Tamagotchi and making sure it was—
You can now show your ungrateful kids just what you had to put up with because the Internet Archive has put a whole load of these games up for online play via an emulator.
You can play BurgerTime. Did you ever play Super Double Dragon or something that? Carole, do you remember stroking your Tamagotchi and making sure it was—
Jesus, and I'm the one who's grubby.
Anyway, links in the show notes if you want to try out some of these really ancient games, because I think it's very cool that they're being preserved, rather like Mikko's adventure game, so that people won't forget them.
I think they're an important part of our history, and that is why it is my pick of the week.
I think they're an important part of our history, and that is why it is my pick of the week.
Good pick of the week.
I'll actually add on Graham's pick of the week, which is that if you are in San Francisco, I do recommend you to go and actually visit the Internet Archive, which is on the west side of San Francisco.
It actually is a physical place which actually looks like a museum. I was there myself earlier this month visiting Jason Scott, who's one of the people working there.
It's actually a fairly big place. They actually have quite a few employees.
They have the actual data center partially in the building, which stores all this stuff, including all the archived games, archived websites, things like that.
So I would never have thought it actually had a physical—
It actually is a physical place which actually looks like a museum. I was there myself earlier this month visiting Jason Scott, who's one of the people working there.
It's actually a fairly big place. They actually have quite a few employees.
They have the actual data center partially in the building, which stores all this stuff, including all the archived games, archived websites, things like that.
So I would never have thought it actually had a physical—
I would have not assumed it only lived online.
We will post a picture in the show notes.
Proof. And Jason, I believe, Crow, you remember I was talking about that text adventure documentary a week or two ago? Jason is the guy who put that together as well.
So GetLamp, fantastic. Small world. I know, it's all coming together today. It's all coming together on the show. Mikko, what's your pick of the week?
So GetLamp, fantastic. Small world. I know, it's all coming together today. It's all coming together on the show. Mikko, what's your pick of the week?
My pick of the week, against the advice, is linked to computer security.
That's the first time a guest does this, I think. Computer security.
Well, you know, gee. My pick of the week is a resource from the European Union.
This is the security resource maintained by EUCERT, the Computer Emergency Response Team of the European Union.
And this is a website which just lists the latest news items from hundreds of different sources. This is the CERT-EU News Monitor.
Well, and as you would expect for a project from the European Union, the URL is easy to remember. It's cert.europa.eu/cert/edition/en/latest. We will put a link to show notes.
However, it is a good way of seeing exactly what's happening today. Like, is there some big news item?
You just wake up and you want to see if something like the Facebook scandal has happened overnight. It would be the top news item on the cert.eu.news.
This is the security resource maintained by EUCERT, the Computer Emergency Response Team of the European Union.
And this is a website which just lists the latest news items from hundreds of different sources. This is the CERT-EU News Monitor.
Well, and as you would expect for a project from the European Union, the URL is easy to remember. It's cert.europa.eu/cert/edition/en/latest. We will put a link to show notes.
However, it is a good way of seeing exactly what's happening today. Like, is there some big news item?
You just wake up and you want to see if something like the Facebook scandal has happened overnight. It would be the top news item on the cert.eu.news.
It's very neat, this. I like this.
There aren't— I mean, there's a lot of sites which aggregate the latest computer security news, but the way in which they're presenting this is pretty cool, I have to say.
There aren't— I mean, there's a lot of sites which aggregate the latest computer security news, but the way in which they're presenting this is pretty cool, I have to say.
Yes, and they've been running it for quite a while. It's not a news service. And the best part is that it's paid by us, the taxpayers. Well, we European taxpayers.
I know you're just about to leave EU, so you can't use this in UK.
I know you're just about to leave EU, so you can't use this in UK.
Come on, rub it in, rub it in.
And you can't join the Eurovision Song Contest either, sorry.
God, don't put the boot in so hard.
Come on. And that is my pick of the week.
That's a good pick of the week. Very good. Well done, Mikko.
Carole, what have you got?
Well, I've got something fun for you guys. I have a video.
Now, before I show you this video, I want you guys to imagine that you had to get up the side of a building really effing quickly. Maybe you were trying to get away from something.
Maybe you're an authority on the chase, chasing a perp. So how would you go about it? What would be your first thought if you had to do it really quickly?
Now, before I show you this video, I want you guys to imagine that you had to get up the side of a building really effing quickly. Maybe you were trying to get away from something.
Maybe you're an authority on the chase, chasing a perp. So how would you go about it? What would be your first thought if you had to do it really quickly?
All right, okay. Well, parachute, that's coming up. A hot air balloon.
I'm just thinking of that thing Mario does where he sort of bounces off walls to go up, you know, the two walls close to each other. I'm not sure I could do that.
I'm just thinking of that thing Mario does where he sort of bounces off walls to go up, you know, the two walls close to each other. I'm not sure I could do that.
Very interesting pick. Now look, I've got a kind of animated GIF that I want to show you. It's only about 30 seconds long.
Okay, this is a podcast. It's an audio podcast.
I know, I know it's a podcast, but look, I've already thought it all through.
You know, Carole, in the old days of the BBC, they used to have a ventriloquist live on the radio, and that was a very successful show for many years.
Hey, trust me, boys, trust me, boys. I'm going to show you this animated GIF without any sound, and you guys are going to actually do the emceeing.
So you're going to tell the listeners what you're seeing as you see it. Okay, super. So here is the link, and then time yourselves in.
So you're going to tell the listeners what you're seeing as you see it. Okay, super. So here is the link, and then time yourselves in.
Oh, I've already clicked. Okay, there are some—looks like policemen or marksmen. They're on the side of a building and they've got a long stick. Are they going to pole vault?
Oh my goodness. Okay, there is a man walking up Batman, walking up the side of the wall using this. How cool is that?
Oh my goodness. Okay, there is a man walking up Batman, walking up the side of the wall using this. How cool is that?
Okay, how do you—that is the coolest thing I've seen.
I found it. Thank you, ZSMalone21 from Reddit. I just—it happened in my feed and I just thought it was one of the coolest things.
There's another one going up now.
Yeah, I didn't really understand what you were explaining about how to go up a wall. Now I understand.
These guys actually go up the wall with nothing special—they just have a long stick and a couple of guys.
These guys actually go up the wall with nothing special—they just have a long stick and a couple of guys.
So you imagine this is a hostage situation or something that, and the police are trying to get into a building. They're going up really quickly, going up to the 4th or 5th floor.
They've got a great big stick. I mean, it doesn't look a stick which they normally have in the back of the van—it looks they've just picked it up from somewhere. Improvised.
They've got a great big stick. I mean, it doesn't look a stick which they normally have in the back of the van—it looks they've just picked it up from somewhere. Improvised.
Yes. Cool, right? And it takes 40 seconds and it's well worth everyone's time. These guys are well hard, aren't they?
I think robbers around the world are going to love this, Carole. Thank you for sharing this. Well, yeah, they all listen to Smashing Security.
Yeah.
They think it's a way to bypass security. That's why they listen to it.
Okay, well, that is Carole's pick of the week. Fantastic. And what a great show as well.
Mikko, thank you very much for joining us once again—it's always a pleasure to have you with us.
Mikko, thank you very much for joining us once again—it's always a pleasure to have you with us.
Thank you for having me.
If there's anybody in the universe who isn't already following you on social media, what's the best way for them to do that?
You can follow Mikko @MikkoHypponen.
God, stroke his ego, why don't you?
And if you want to follow us on Twitter, we're @SmashingSecurity. Smashing Security, no G, Twitter wouldn't allow us to have a G.
We're on Facebook, of course, there's a Smashing Security Facebook group for those 3 people who still have Facebook accounts.
And we have a Smashing Security store where you can buy stickers and mugs and things that.
We're on Facebook, of course, there's a Smashing Security Facebook group for those 3 people who still have Facebook accounts.
And we have a Smashing Security store where you can buy stickers and mugs and things that.
Stop plugging the Facebook channel.
Yeah. We won't mention it again. Okay. The store, smashingsecurity.com/store. Thank you for tuning in. If you like the show, rate it on Apple Podcasts.
It really does help new listeners discover the show and you can find out past episodes on smashingsecurity.com. Until next time, cheerio, bye-bye. Pew pew. Thank you.
It really does help new listeners discover the show and you can find out past episodes on smashingsecurity.com. Until next time, cheerio, bye-bye. Pew pew. Thank you.
Hey, before you go, me Mikko, can I ask you a question? Sure. Is it possible that you used a VPN when you reviewed Smashing Security podcast on iTunes?
Because I went looking and we don't have any reviews from Finland.
Because I went looking and we don't have any reviews from Finland.
Yeah, I was located in Nigeria when I did the review.
Because I just, there was one here that I thought might be you and it was, you know, dude is funny and chick is cool, good content, fun show. And then the name by Lick My Acne.
And I thought, Lick My Acne? Yeah. And that was from the UK. And we thought, could that be you? It's 5 stars. So we're very grateful.
And I thought, Lick My Acne? Yeah. And that was from the UK. And we thought, could that be you? It's 5 stars. So we're very grateful.
No comment.
There's—
Well, thank you for asking. Thank you, Carole.
There's Josh G from America who says— That's probably him. I love this weekly podcast. A lot of great information. But Graham, the way you say Carole's name drives me nuts.
Drives me nuts too. Keep up the good work.
Drives me nuts too. Keep up the good work.
But I can say Mikko Hypponen, right?
Very good. Thanks for coming on the show. Always great chatting to you. All right, see you. Bye-bye.
Are we really hanging up now? Okay, bye.
Yeah, he's a busy man.
Yeah, stop recording, stop recording.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
Mikko Hyppönen – @mikko
Show notes:
- Mikko's adventure game "Paha Juttu" at the Finnish Game Museum
- Download the Paha Juttu Commodore 64 floppy image file (d64)
- Commodore 64 online emulator (load a d64 file into this)
- Mat Johnson's tweet about Facebook logging his phone calls and texts
- Fact Check: Your Call and SMS History
- Who and What Is Coinhive?
- 100+ VPNs & Their Logging Policy (What Logs Are Kept by Who?)
- Which VPN Services Keep You Anonymous in 2018?
- ‘Lone DNC Hacker’ Guccifer 2.0 Slipped Up and Revealed He Was a Russian Intelligence Officer
- HideMyAss defends role in LulzSec hack arrest
- TLDRLegal – Software Licenses Explained in Plain English
- Some Very Entertaining Plastic, Emulated at the Archive
- Handheld History
- This is what the Internet Archive's building looks like
- CERT-EU News Monitor
- You've never seen anyone climb a wall like this before…
- Smashing Security on Facebook
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
- Support us on Patreon!
Sponsor: LastPass
LastPass Enterprise makes password security effortless for your organization.
LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
Go to smashingsecurity.com/lastpass to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses
Follow the show:
Follow the show on Bluesky at @smashingsecurity.com, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
