Who’s been collecting the voice prints of millions of people saying “My voice is my password”? Why has it become tougher for law enforcement to scoop up cellphone data? And who’s been turning up your central heating?
All this and much much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by John Hawes from AMTSO.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
And it all started when someone noticed that an increasing number of people were calling help hotlines convinced they were going crazy.
And when these callers were being pressed for more information, the caller would say things like, "The doorbell keeps ringing, but when I answer, there's no one there."
And when these callers were being pressed for more information, the caller would say things like, "The doorbell keeps ringing, but when I answer, there's no one there."
That's postman's knock. People have been doing that for hundreds of years. Smashing Security, Episode 84. No, my voice is not my password. With Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Episode 84 of Smashing Security. My name is Graham Cluley.
Hello, hello, and welcome to Episode 84 of Smashing Security. My name is Graham Cluley.
And I'm Carole Theriault.
Hi, Carole.
Hello, Mr. Cluley.
And we have a special guest with us this week. It is the returning John Hawes of AMTSO, the Anti-Malware Testing Standards Organization. Hello, John.
Hello, Graham. Hello, Carole.
Hi, wonderful to have you back on the show again. I hope you're keeping well.
I'm pretty good. Lovely to be here as always.
And I hope the world of anti-malware testing is behaving itself.
Oh, it's most excellent. We just recently launched our first proper standard, which is certainly interesting times for us.
Well, I would hope you've released a standard, John, if you're in charge of the anti-malware testing standards.
We are the standards organization, so it's about time.
Yeah.
So do you mean all this time we've been talking to you, you hadn't actually released any standards?
Well, you can't just put them out there. You have to actually build them first.
Oh, okay.
And getting consensus among 50-odd rival organizations, not always easy, but we've done it.
You're like a diplomat, I guess.
Pretty fairly indeed.
Is there an equivalent of Trump? Is there someone who's sort of threatening to leave the Paris Accord on anti-malware testing standards?
There's many Trumps.
A lot of Trumping in the room. Oh yes. This week's episode of Smashing Security is sponsored by VirusTotal. Now you probably know VirusTotal as a malware research tool.
Over 1 million files are uploaded every day by folks analyzing malware and attempting to determine what different antivirus products call a sample.
But you can do much more than that with VirusTotal Intelligence, which helps you get more context about your alerts through advanced malware threat hunting, relationship and behavioral visualization, as well as historical analysis on billions of malware samples.
To learn more about how VirusTotal Intelligence can help you, visit virustotal.com/intelligence.
Learn or email the team at and be sure to say you heard about them on the Smashing Security podcast. Right guys, well look, I want you to do me a favor.
Can you say my voice is my password?
Over 1 million files are uploaded every day by folks analyzing malware and attempting to determine what different antivirus products call a sample.
But you can do much more than that with VirusTotal Intelligence, which helps you get more context about your alerts through advanced malware threat hunting, relationship and behavioral visualization, as well as historical analysis on billions of malware samples.
To learn more about how VirusTotal Intelligence can help you, visit virustotal.com/intelligence.
Learn or email the team at and be sure to say you heard about them on the Smashing Security podcast. Right guys, well look, I want you to do me a favor.
Can you say my voice is my password?
Is that safe?
Is that safe?
Is it safe? Is it safe? Do you remember that? Neither of you are Dustin Hoffman.
Neither of you are prepared to say, "My voice is my password." Well, if you were in the habit of ringing up HMRC, which is another name for the British taxman, they may well ask you to say that phrase.
And they stand accused of stealthily collecting a database of 5 million voice prints saying exactly that. Shut up!
Neither of you are prepared to say, "My voice is my password." Well, if you were in the habit of ringing up HMRC, which is another name for the British taxman, they may well ask you to say that phrase.
And they stand accused of stealthily collecting a database of 5 million voice prints saying exactly that. Shut up!
Hang on. Are they— now, when you say they may ask you to say that phrase, are they actually saying, please say this particular phrase?
They are, as you will find out, John. I will explain.
But that's not very stealthy. You'd think if they managed to get you to say those words separately in other sentences and then put them back together again.
Oh, it's always one, isn't there? Look, yes, they're not stealthily getting you to say the phrase. What they've stealthily done is they've collected this database.
Okay.
This is as yet unknown. Let me explain to you exactly.
I was being overly pedantic there. Please carry on.
You were being a bit pedantic. And no wonder your standards have taken so long to be arranged. If this is the level of discussion which goes on.
HMRC announced way back in January 2017 that they were introducing voice ID technology to help it recognize taxpayers when they called in and speed up the security steps needed.
You know, those hurdles you have to jump over before a call can be dealt with.
HMRC announced way back in January 2017 that they were introducing voice ID technology to help it recognize taxpayers when they called in and speed up the security steps needed.
You know, those hurdles you have to jump over before a call can be dealt with.
So it announced this, it announced this publicly.
They announced this exactly back in January 2017.
They said the first time you call, you might be asked to say this phrase up to 5 times, and then you'll be passed to an advisor to complete the call, right?
They said, "We're going to securely store your passphrase and you can just use your voice in future to confirm your identity." Don't worry a jot about how we secure this.
They said the first time you call, you might be asked to say this phrase up to 5 times, and then you'll be passed to an advisor to complete the call, right?
They said, "We're going to securely store your passphrase and you can just use your voice in future to confirm your identity." Don't worry a jot about how we secure this.
We're the government.
Exactly.
Okay.
UK government never had a security breach in their life.
Hey, I would've done it. I think I would've done it if I didn't have a choice and I needed to talk to the taxman and it was part of their process. I'd probably just do it.
They said at the time that they, although they would be encouraging callers to take advantage of voice ID, you could choose to opt out if you wished.
Well, then I would've done that. Okay.
Okay.
Yeah.
Now let's move forward to the present day. Privacy campaign group Big Brother Watch, also known as BBW.
A bit 1984.
I think that's the point they're trying to get across. Yes.
Not the TV show.
No, it's not about watching the reality TV show. I imagine they get a lot of their web traffic for people trying to find out about Celebrity Big Brother. Yes.
Yeah.
So maybe they were.
They probably have excellent traffic.
Yes.
Huge jump-off rate though. Not the track. Yes. A lot of bouncing.
A lot of bouncing. Which is true, of course. Anyway, so BBW, which can also stand for Big Beautiful Women, I believe. Oh dear.
Anyway, they said that they received a number of complaints, and so they tested HMRC's system and they found there was no way to opt out or to have your voiceprint securely deleted.
So what happens is this: if you ring up the taxman, if you ring up HMRC here in the UK, You are asked to say, "My voice is my password." And if you decline by saying, "No thanks," you're told, "I'll need you to say exactly those words." And if you keep on refusing, they say, "It's important you repeat exactly the same phrase.
Please say, 'My voice is my password.'" Say it.
Anyway, they said that they received a number of complaints, and so they tested HMRC's system and they found there was no way to opt out or to have your voiceprint securely deleted.
So what happens is this: if you ring up the taxman, if you ring up HMRC here in the UK, You are asked to say, "My voice is my password." And if you decline by saying, "No thanks," you're told, "I'll need you to say exactly those words." And if you keep on refusing, they say, "It's important you repeat exactly the same phrase.
Please say, 'My voice is my password.'" Say it.
"My voice is my password." Are you saying the HMRC has been taken over by Daleks?
So not everyone has been confronted with this, because if the database is only 5 million voice prints, there's more taxpayers than that.
That's true. Yeah, I'm sure I've called HMRC and I've never been asked to say any weird sentences.
Well, maybe they're not doing it on absolutely everyone. And of course, not all taxpayers actually have to call HMRC. I think I've only ever called them once.
That explains a lot of things.
Yep. And let's not forget, a voice isn't actually a password, is it? Really?
It's a bit misleading that, because a real password, it's easy to change, but it isn't easy to change your voice, is it?
It's a bit misleading that, because a real password, it's easy to change, but it isn't easy to change your voice, is it?
Yes, it is unique though, like a thumbprint or a fingerprint.
Oh, you think your voice is unique, do you, Carole?
I think my voice is pretty unique.
I'd be amazed. You don't think we could mimic it?
Oh no, I know you can mimic it. I know you can mimic it.
There are a lot of people who make a living out of imitating other people's voices, so presumably it must be possible.
Well, it depends on how good the biometrics are, I suppose, at analysing your particular voice signature, whether they're able to detect determine it or not.
Last year, BBC Click reporter Dan Simmons set up an HSBC account which uses voice ID for authentication, and he wheeled in his non-identical twin brother Joe to mimic his voice.
And as you can hear, he managed it quite successfully. After the tone, please repeat the phrase, "My voice is my password." My voice is my password.
Last year, BBC Click reporter Dan Simmons set up an HSBC account which uses voice ID for authentication, and he wheeled in his non-identical twin brother Joe to mimic his voice.
And as you can hear, he managed it quite successfully. After the tone, please repeat the phrase, "My voice is my password." My voice is my password.
Welcome to HSBC Advance. The balance of your account is £1.21 credit.
I'm off to the bank. For your available balance—
I thought it was going to be more than that, Dan. That doesn't seem like a surprise to me. I would have assumed that it would be quite easy to mimic someone's voice.
But I think the point that Graham's trying to make on that is that therefore you can't use this type of thing if it can be broken just by a brother.
Yeah, I mean, this is tax information. This is not, you know, presumably if you get through, you have access to all the tax background information.
Yeah, I mean, this is tax information. This is not, you know, presumably if you get through, you have access to all the tax background information.
Exactly, right? You could have access to all kinds of things, couldn't you?
And the concern of Big Brother Watch is that this might be being used as a backdoor for collecting biometric data on millions of UK citizens.
And might this data be being shared with other government agencies? HMRC aren't saying how it's being used.
And the concern of Big Brother Watch is that this might be being used as a backdoor for collecting biometric data on millions of UK citizens.
And might this data be being shared with other government agencies? HMRC aren't saying how it's being used.
Oh, they're staying stum right now?
They're staying fairly stum. They're not saying, "My voice is my password." Now it occurs to me, first of all, that I've said "my voice is my password" a number of times now.
So even if I've opted out, they can basically— They're screwed! They can opt me in.
So even if I've opted out, they can basically— They're screwed! They can opt me in.
I've heard they're big fans of the show.
It is odd that you can't choose your own private sentence as well.
That if I was doing this— Yeah, that's true.
So are they just taking "my voice is my password" as a way of reading in your voice, or is that something you have to say every time you log in again?
So are they just taking "my voice is my password" as a way of reading in your voice, or is that something you have to say every time you log in again?
I get the sense that they expect you to say the same sentence.
It just seems very strange that if they're building a security system based around voices being passwords.
Yeah.
And they've chosen this phrase, very similar to a phrase from a movie where some people defeated voice-based identification systems.
That's right.
So presumably they've seen that movie and they know that it doesn't work and they went ahead anyway.
How ironic.
Isn't it ironic?
Isn't it? Don't you think?
Anyway, the ICO, the Information Commissioner's Office, is investigating.
Who knows what's going to happen to this, because sometimes the rules are rather different for government agencies than the rest of us. So watch this space.
But in the meantime, I'd tell people, be a little bit careful.
I mean, if I was asked to give my biometric, I might be tempted to do one of my famous impressions instead, like my Scottish. Or—
Who knows what's going to happen to this, because sometimes the rules are rather different for government agencies than the rest of us. So watch this space.
But in the meantime, I'd tell people, be a little bit careful.
I mean, if I was asked to give my biometric, I might be tempted to do one of my famous impressions instead, like my Scottish. Or—
It's hard to tell the difference, actually.
Hey, it's Carole here. Hi, everybody. Welcome to Smashing Security. Is that good? Is that any good?
Was that me?
Yeah. John, what's your topic for us this week?
Well, so I wanted to talk a little bit about a fairly big US law story that kicked off last week, which is basically a Supreme Court ruling, making it much more difficult for US law enforcement to access people's phone location data.
Hallelujah. That's good.
We've all seen the TV shows where, you know, the cops tracking down the bad guys and they're going, oh, where is he? Oh, let's triangulate his phone. That's what we have to do.
And they always find him straight away. It turns out, as things are at the moment, they pretty much can do that.
It's possible for police to ask cell phone providers for big, big swathes of data based only on suspecting that it might be useful in their investigation.
And they always find him straight away. It turns out, as things are at the moment, they pretty much can do that.
It's possible for police to ask cell phone providers for big, big swathes of data based only on suspecting that it might be useful in their investigation.
Okay.
It's called a court order for disclosure. But going back, so back in December 2010 to March 2011, there was a big spate of armed robberies at RadioShack and T-Mobile stores.
I think it was Ohio and Michigan. And ironically, they actually stole a bunch of smartphones.
I think it was Ohio and Michigan. And ironically, they actually stole a bunch of smartphones.
Okay.
And basically what the— some members of the gang got caught. The cops persuaded them to dob in their buddies and they got the phone numbers for 15 other people.
And they went to the cell company and said, can you just give us everything you've got on these 16 people?
And then they matched up where they had been over a period of 4 months or something, 127 days for one of them.
And they went to the cell company and said, can you just give us everything you've got on these 16 people?
And then they matched up where they had been over a period of 4 months or something, 127 days for one of them.
Holy moly.
And said, well, okay, these guys were outside the scenes of these crimes. So we reckon they probably did it.
And one of them, Timothy Carpenter, for whom they looked at something like 13,000 data points for this 127-day period, he was convicted and sentenced to 116 years in jail.
And one of them, Timothy Carpenter, for whom they looked at something like 13,000 data points for this 127-day period, he was convicted and sentenced to 116 years in jail.
116 years?
Yeah, that's fairly standard for—
You know what? In this day and age, he might actually get out. Seriously.
It's pretty tough, isn't it?
If they've got evidence that you're outside that many locations where crimes are being committed, unless you can claim that you're some sort of superhero crime fighter.
It's quite unlikely, isn't it?
If they've got evidence that you're outside that many locations where crimes are being committed, unless you can claim that you're some sort of superhero crime fighter.
It's quite unlikely, isn't it?
Or that you just drive around a lot.
Or that you gave your phone to someone else.
Villains.
Yeah. Anyway, so he obviously appealed against this on the basis that his cell phone data should not be harvested and used in this way.
It's a Fourth Amendment right to privacy thing.
Right, and his original appeal was rejected in 2015, but then last year this went up to the Supreme Court and they've been pondering it for the last 6 or 7 months.
I think it was November 2017 that they heard the arguments, and then finally last week they came out with their decision saying he's right and the cops should not be allowed to get at that data without a warrant.
They should have a proper formal warrant, and it shouldn't just be give me everything on this guy.
It should be I'm fairly sure this guy is a strong suspect in this case, and I would like this particular data from this particular period for these particular reasons.
It's a Fourth Amendment right to privacy thing.
Right, and his original appeal was rejected in 2015, but then last year this went up to the Supreme Court and they've been pondering it for the last 6 or 7 months.
I think it was November 2017 that they heard the arguments, and then finally last week they came out with their decision saying he's right and the cops should not be allowed to get at that data without a warrant.
They should have a proper formal warrant, and it shouldn't just be give me everything on this guy.
It should be I'm fairly sure this guy is a strong suspect in this case, and I would like this particular data from this particular period for these particular reasons.
And see, that makes a lot of sense to me, right? That makes a lot of sense.
I have no problem with people putting warrants together to get information because they need it, because they suspect someone of a crime.
What I don't like is that potentially innocent people that have not committed any crime have their data being flying between departments and organizations willy-nilly.
I have no problem with people putting warrants together to get information because they need it, because they suspect someone of a crime.
What I don't like is that potentially innocent people that have not committed any crime have their data being flying between departments and organizations willy-nilly.
Yeah. No, and it's also, it's the broadness really. It's that they can go and say, give me everybody that passed by this cell tower in the last 10 days.
Yeah.
And then we'll go and track all those people and say, oh, these are interesting people.
I mean, they got without a warrant 127 days worth of data on 16 different people.
Yeah.
That's a huge amount of stuff.
Yeah.
So this went all the way up to the Supreme Court. I mean, there's no Suprema Court, I imagine.
It's the Supremo Court.
It's the Supremo Court.
Yeah.
Yeah.
This is the big one.
Top of the line. Top of the line. So obviously, I mean, it's not, this is not a huge thing that's going to affect everybody.
This is really only a kind of a small change in the law that affects particular law enforcement agencies and how they go about doing their business.
But there are kind of implications that it will expand to impact, say, when law enforcement goes to Apple and says, can you unlock these phones, please?
Because we believe they belong to terrorists or something. Technology is moving a lot faster than law, obviously.
This is really only a kind of a small change in the law that affects particular law enforcement agencies and how they go about doing their business.
But there are kind of implications that it will expand to impact, say, when law enforcement goes to Apple and says, can you unlock these phones, please?
Because we believe they belong to terrorists or something. Technology is moving a lot faster than law, obviously.
Oh, yeah.
And this is just kind of one little step in bringing law closer in line with how we live today.
I mean, a lot of this expectation of privacy law relies on a case from, I think, 1967, where some guy was in a phone box and the phone box was bugged.
The argument was, you know, I'm in a phone box. I have a reasonable expectation that it's private.
I mean, a lot of this expectation of privacy law relies on a case from, I think, 1967, where some guy was in a phone box and the phone box was bugged.
The argument was, you know, I'm in a phone box. I have a reasonable expectation that it's private.
That's not the only expectation you have in a phone box. You also expect the smell of urine. You probably expect little postcards offering sexy Sadie or something like that.
You know, most millennials don't even know, have probably never been in a phone box in their lives. They've never had that joy.
And Carole, what's your story for us this week?
Well, this past weekend, The New York Times ran a rather disturbing story, and it all started when someone noticed that an increasing number of people were calling help hotlines convinced they were going crazy.
And when these callers were being pressed for more information, the caller would say things like, "I turned on my air conditioner, but then it switched off all without me touching it," or, "The code of my digital lock changes daily.
I don't know how it's doing this." Or the doorbell keeps ringing, but when I answer, there's no one there.
And when these callers were being pressed for more information, the caller would say things like, "I turned on my air conditioner, but then it switched off all without me touching it," or, "The code of my digital lock changes daily.
I don't know how it's doing this." Or the doorbell keeps ringing, but when I answer, there's no one there.
The doorbell keeps ringing, but there's no one there. Isn't that postman's knock? People have been doing that for hundreds of years, right?
You go up to someone's door and you leg it after ringing it. And as for the air conditioner, it turns off when it's decided it's now cool enough in the room.
You go up to someone's door and you leg it after ringing it. And as for the air conditioner, it turns off when it's decided it's now cool enough in the room.
Yeah, they do have thermostats generally, don't they?
They should have rung me up for support. I could have helped with this.
You see, you think you're so clever. You think you're so clever. This is all about IoT-enabled devices.
So the New York Times conducted more than 30 interviews with domestic abuse victims, lawyers, shelter workers, and emergency responders.
Turns out the perps had somehow gained access to the IoT-enabled apps on the smartphone.
Now we're talking about apps that run things like doors or speakers or thermostats or lights or cameras, you name it.
And we're not talking just accessing these, but also remotely controlling these devices in the victim's home.
Basically to either drive them batty or make them scared out of their wits.
So the New York Times conducted more than 30 interviews with domestic abuse victims, lawyers, shelter workers, and emergency responders.
Turns out the perps had somehow gained access to the IoT-enabled apps on the smartphone.
Now we're talking about apps that run things like doors or speakers or thermostats or lights or cameras, you name it.
And we're not talking just accessing these, but also remotely controlling these devices in the victim's home.
Basically to either drive them batty or make them scared out of their wits.
Geez. Wow.
In some instances, and we've talked about these on the show before, but we've heard of people trying to spy or terrorize people in the room.
Remember with those baby monitors, IoT baby monitors? Yes. So take Graciela Rodriguez. She runs a shelter in San Rafael, California.
She told New York Times that some people have come in talking of thermostats suddenly being kicked up to 100 degrees or smart speakers suddenly blasting music.
Remember with those baby monitors, IoT baby monitors? Yes. So take Graciela Rodriguez. She runs a shelter in San Rafael, California.
She told New York Times that some people have come in talking of thermostats suddenly being kicked up to 100 degrees or smart speakers suddenly blasting music.
Wow.
Okay.
So this isn't just problems where the devices aren't working properly. This is people intentionally meddling with their stuff to freak with them.
Or turning up the temperature. It's like, it's getting hot in here. So think, you know, it's—
I see you gesturing. But imagine if a relationship ended badly, for example, right? And the guy is kicked out of the house, but he still has his phone. He's pissed off.
He's got his phone, he's got apps, he's got the apps to manage the thermostat and to manage the Amazon device or Google device. But, you know, he's a bit smart with these things.
He's got his phone, he's got apps, he's got the apps to manage the thermostat and to manage the Amazon device or Google device. But, you know, he's a bit smart with these things.
And then also—
And yeah, right.
So while people love the convenience and the kind of snazziness of internet-enabled devices, the problem seems to be that victims and even some emergency responders, when they're called in, don't have the required knowledge to stop these abuses.
They just don't know how to do it. But I'm thinking we do. I've pulled together a few tips.
I wanted you guys to throw in a few as well as I go along, if you have any advice for our listeners on what we would recommend they do if they feel they're in this type of situation.
Ready?
So while people love the convenience and the kind of snazziness of internet-enabled devices, the problem seems to be that victims and even some emergency responders, when they're called in, don't have the required knowledge to stop these abuses.
They just don't know how to do it. But I'm thinking we do. I've pulled together a few tips.
I wanted you guys to throw in a few as well as I go along, if you have any advice for our listeners on what we would recommend they do if they feel they're in this type of situation.
Ready?
Braced.
Mm-hmm.
So number one, I would say you need to know which devices in your house are internet-enabled. It is not always easy to know from just looking at it.
So you're talking things like heating and TVs and locks and Wi-Fis. And I suggest label everything in your house, put a little sticker on it saying that is Wi-Fi enabled.
People have Wi-Fi fridges, for God's sake.
And even if you're not sure, if you bought it in the last five years, I would just look up online and look up the manufacturing code to see if it has any internet capability.
So you're talking things like heating and TVs and locks and Wi-Fis. And I suggest label everything in your house, put a little sticker on it saying that is Wi-Fi enabled.
People have Wi-Fi fridges, for God's sake.
And even if you're not sure, if you bought it in the last five years, I would just look up online and look up the manufacturing code to see if it has any internet capability.
But presumably you have to, it's not like you just buy a fridge and slap it in the corner and suddenly it's online. You have to connect it to your Wi-Fi.
No, but for example, my husband could have put one in.
Yeah, maybe abusive partners set it all up. That's the thing, isn't it? Yeah.
And yes, of course, some are probably doing it because they're just assholes.
Okay, so things you want to think first, can you reset the device to just reset it, bring it back to zero?
Okay, so things you want to think first, can you reset the device to just reset it, bring it back to zero?
Factory settings.
Right. And if you can't do that, figure out whose account the device is registered to.
If it's you, you can create a new account, maybe even change your username, but definitely change your password on that device.
Now, there are some devices that will not let you change those passwords.
And if you can't change those passwords on those devices, find out if there's a microphone or a video camera on that device.
If there is, then I'd consider dumping it if you can't change the password. Would you guys agree with that?
If it's you, you can create a new account, maybe even change your username, but definitely change your password on that device.
Now, there are some devices that will not let you change those passwords.
And if you can't change those passwords on those devices, find out if there's a microphone or a video camera on that device.
If there is, then I'd consider dumping it if you can't change the password. Would you guys agree with that?
Yes.
Yeah, that's very sound advice. I would say yes, try and find that out in advance and don't buy it. But if you've already bought it, then throw it away.
Exactly. Now, three, check out if the account's been shared with anyone.
Now, for instance, my husband bought our household a VPN service and it's been installed on some of my devices under his email and password.
So there's only one registered user for that account, but I have access to it. So be wary of that. So one, look for accounts and see if there's shared users.
There's two email addresses, for example, tied to one account.
And also, if you think that account's been shared with anybody, switch it up, change the password to a new unique password.
And of course, use password managers to manage all that stuff so they're nice, long, and complex, and not your dog's name, Fifi.
You would be amazed at the devices that have microphones and cameras these days. And if you're not sure, look online and find out and figure out if you can disable those things.
Now, for instance, my husband bought our household a VPN service and it's been installed on some of my devices under his email and password.
So there's only one registered user for that account, but I have access to it. So be wary of that. So one, look for accounts and see if there's shared users.
There's two email addresses, for example, tied to one account.
And also, if you think that account's been shared with anybody, switch it up, change the password to a new unique password.
And of course, use password managers to manage all that stuff so they're nice, long, and complex, and not your dog's name, Fifi.
You would be amazed at the devices that have microphones and cameras these days. And if you're not sure, look online and find out and figure out if you can disable those things.
Do fridges have microphones?
I bet there are some fridges with microphones.
I bet there are some fridges where you can do Dick Tracy style, you know, FaceTime equivalent chatting, you know, I bet you can do video calls and things like that. Yeah.
I bet there are some fridges where you can do Dick Tracy style, you know, FaceTime equivalent chatting, you know, I bet you can do video calls and things like that. Yeah.
With the panel on your fridge?
Yes, you'll probably have some sort of daft sort of Windows XP embedded sort of governance or something like that, wouldn't you? I bet it happens.
So you can ask it if there's any cheese left without opening the door.
I'm always fully aware of the cheese levels in my fridge. I'm intimately keeping track of those.
Now we totally talked about IoT devices, but we haven't talked about the obvious things, the Wi-Fi, the mobiles, the computers. Of course, these things need to be looked at.
So you want to check your settings, check the accounts, check all the configuration settings and get rid of accounts you don't need.
And basically you just want to change everything, all the passwords you can. Try and lock it down, especially the Locate My Phone.
So you want to check your settings, check the accounts, check all the configuration settings and get rid of accounts you don't need.
And basically you just want to change everything, all the passwords you can. Try and lock it down, especially the Locate My Phone.
So Carole, I think it feels to me like with so many devices potentially being in your house and being IoT enabled and it being hard to work out exactly what might be connected, that a key thing to do is probably to look at your Wi-Fi router and maybe change the name of your Wi-Fi network because then all those devices won't be able to connect to the internet via your router anymore, right?
If you change the username of your Wi-Fi and can't find it?
A small number of devices may have SIM cards or they may be connected to your neighbor's Wi-Fi.
And obviously there's not much you can do about that, but it feels to me like that would be something.
And also look at your routers generally, because if you were with a nerdy person who might now be tormenting you via IoT, there's always the potential that they could log into the router remotely and reconfigure it or set up an additional Wi-Fi network inside your house so that all those devices can get back online too.
And obviously there's not much you can do about that, but it feels to me like that would be something.
And also look at your routers generally, because if you were with a nerdy person who might now be tormenting you via IoT, there's always the potential that they could log into the router remotely and reconfigure it or set up an additional Wi-Fi network inside your house so that all those devices can get back online too.
Yeah. And there's also generally when you log into your admin panel on your router, you can actually see which devices are connected.
So you can look through the list and go, hang on, I don't recognize that fridge.
So you can look through the list and go, hang on, I don't recognize that fridge.
Yeah. And a little tip actually is make sure you make your name of your Wi-Fi router boring, like 65677BC as opposed to Donna's Pad, especially if your name's Donna.
Yeah.
Right. Because people do that. I see them everywhere. When I'm looking around for Wi-Fi, I can see that people use their name.
Well, actually, I once, we have a very— We have a world-famous author who lives in my village, and once I wanted to contact him for something or other.
His Wi-Fi said his name, and so I knew which house he lived in, and then I was able to pester him.
His Wi-Fi said his name, and so I knew which house he lived in, and then I was able to pester him.
Now, lastly, before I wrap up, if I may, if you think you are being watched, right, in this situation, what you need to do according to some online harassment guides, which I have linked to via the show notes, the best thing is you have to document everything relevant to the incident.
So times, dates, apps used, or technology involved, or details, the incident screenshots, screenshots, screenshots, photos, all that stuff, really useful.
But a really good tip that I read is don't hand over too much information or irrelevant information as part of that, because it could always be handed over as evidence to the courts or shared with, you know, inadvertently with the abuser.
So, for example, don't include personal photos unrelated to the incident. Good to know, right? As I said, there's a lot of information on our website and show notes.
And if you have a friend or colleague that's going or has mentioned things this, don't assume they're nuts. You know, they're not cray-cray.
Share the podcast with them so they can get some help.
So times, dates, apps used, or technology involved, or details, the incident screenshots, screenshots, screenshots, photos, all that stuff, really useful.
But a really good tip that I read is don't hand over too much information or irrelevant information as part of that, because it could always be handed over as evidence to the courts or shared with, you know, inadvertently with the abuser.
So, for example, don't include personal photos unrelated to the incident. Good to know, right? As I said, there's a lot of information on our website and show notes.
And if you have a friend or colleague that's going or has mentioned things this, don't assume they're nuts. You know, they're not cray-cray.
Share the podcast with them so they can get some help.
Well, thank you for that, Carole.
It's a little sober this week, but important.
Yeah, scary.
A bit of a sad topic in some ways. But you know what isn't sad? It's time for Pick of the Week. And thanks once again to VirusTotal for sponsoring this episode of Smashing Security.
Over a million files are uploaded to VirusTotal every day for analysis and to determine what different antivirus products call them.
But you can do much more than that with VirusTotal Intelligence.
VirusTotal Intelligence helps you get more context about alerts through advanced malware threat hunting, behavioral visualization, as well as historical analysis of samples.
Learn more by visiting virustotal.com/learn, and be sure to let VirusTotal know that you heard about them from the Smashing Security podcast.
And welcome back to the show, and it's our favorite part of the show, the part of the show that we to call Pick of the Week.
Over a million files are uploaded to VirusTotal every day for analysis and to determine what different antivirus products call them.
But you can do much more than that with VirusTotal Intelligence.
VirusTotal Intelligence helps you get more context about alerts through advanced malware threat hunting, behavioral visualization, as well as historical analysis of samples.
Learn more by visiting virustotal.com/learn, and be sure to let VirusTotal know that you heard about them from the Smashing Security podcast.
And welcome back to the show, and it's our favorite part of the show, the part of the show that we to call Pick of the Week.
Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
It could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they like.
Doesn't have to be security-related necessarily.
It could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they like.
Doesn't have to be security-related necessarily.
I hope it's not this week.
Well, mine isn't security-related this week. Mine is a website and it's called music-map.com. And it will— yes, intriguing, eh? Music-map.com.
Well, what it does when you go to it, it asks you to name an artist and you type in the artist's name.
Well, what it does when you go to it, it asks you to name an artist and you type in the artist's name.
I'm going in right now. Bryan Adams.
The Groover from Vancouver.
The Groover from Vancouver.
Oh.
And what it will do is it will put up almost like a mind mappy thing.
All these names will swirl around of other artists who it believes are similar or other music that you might like if you are a fan of whoever you put in.
All these names will swirl around of other artists who it believes are similar or other music that you might like if you are a fan of whoever you put in.
Right, yeah, it's an interesting thing. So I see Celine Dion, presumably that link is that they've come from, they're born in Canada.
A lot of Canadian people like to, you know, basically eat that meat.
Meatloaf.
And so they're enjoying Brian and they're enjoying Celine. They're just helping the national economy.
Right.
Right. So I entered, for instance, Del Amitri, right, who are an early '90s, '80s pop group, and up comes Ron Sexsmith.
And so I discovered Ron Sexsmith, who I think is another Canadian, isn't he?
And so I discovered Ron Sexsmith, who I think is another Canadian, isn't he?
I don't know.
Ron Sexsmith is a great Canadian songwriter. I've only discovered him in recent months. He's smashing. And I found out via sites like this him and other artists who I might enjoy.
Oh yes, I'm looking now. You have Rufus Wainwright nearby.
So if you want to have a slightly wider— what am I saying?
Musical repertoire.
Yes, you might want to go to music-map.com. And you will find other artists you might enjoy.
Then you can go and check them out on Spotify or one of those and say, oh no, I do actually really like them. So it's a great way of finding other things.
So I found, for instance, some sort of Danish miserable rock genre, right, which because Ron Sexsmith is a bit of a hangdog deputy dawg kind of figure, a bit morose, which is what I like.
And so it's helped me find other artists. And so I really like it. And that is why it is my pick of the week.
Then you can go and check them out on Spotify or one of those and say, oh no, I do actually really like them. So it's a great way of finding other things.
So I found, for instance, some sort of Danish miserable rock genre, right, which because Ron Sexsmith is a bit of a hangdog deputy dawg kind of figure, a bit morose, which is what I like.
And so it's helped me find other artists. And so I really like it. And that is why it is my pick of the week.
It's a very cute pick of the week. I'm just looking up Thom Waits right now.
Oh, sweet.
Who would be like him? Yeah. Oh, Nick Cave. Yep.
I don't know how—
Drake, Leonard Cohen.
I don't know how— oh yeah, Joni Mitchell. I don't know how they're working out.
I don't know if it's something like an Amazon people have also bought this or I don't know where this data is coming from, but like the Apple Genius thing. Yeah, not sure.
I don't know if it's something like an Amazon people have also bought this or I don't know where this data is coming from, but like the Apple Genius thing. Yeah, not sure.
This is, yeah, this is quite interesting. When I put in Thom Waits, I would probably know 60, 70% of them here. Yeah, interesting. Cute pick of the week. I like it.
Thank you. Very nice.
John, what's your pick of the week?
Well, so I've got a slightly meta pick of the week. I'm a big fan of BBC Radio 4, the BBC's flagship—
Who isn't?
Show channel for serious, mature people like myself.
And I don't have specific times when I listen, so I very much like a show they have called Pick of the Week, where they have a guest on and they choose their favorite shows from the last week.
And no, so Pick of the Week is not my pick of the week this week.
I actually wanted to mention a show that I heard on Pick of the Week, or I heard an excerpt from, which is a clip from a show called Shortcuts.
Which is lots of little documentaries, plays, just kind of 5-10 minute bits. And this particular one was about meatspace, which people with long memories might actually remember.
So basically there was a guy wrote a novel, I think, called Meatspace. I don't know this at all.
Him and a friend were looking into ways to promote this and they were very literal-minded people, obviously.
So they decided to get a lamb chop from their local curry house and send it up into space on a weather balloon with a camera attached.
And they had this plan that they would send it up on this weather balloon and taking a video and then figured out where it would come back down again and went to the field where it was going to come back down and it wasn't there.
And so this episode of this show details how they went about getting it back and particularly how they were basically messed with by some weird dude who kept telling them that he had their camera and he would meet them at the motorway service station outside Bridgewater, and then wouldn't show up, and then would phone them and say, oh, I'm sorry, I'm on my way home, let's go and meet in somewhere else.
And it was a very interesting story, and they eventually obviously did get it back because there's quite a famous video on YouTube of the lamb chop going from the curry house to space, which I recommend you watch.
It's like 2 minutes long.
And I don't have specific times when I listen, so I very much like a show they have called Pick of the Week, where they have a guest on and they choose their favorite shows from the last week.
And no, so Pick of the Week is not my pick of the week this week.
I actually wanted to mention a show that I heard on Pick of the Week, or I heard an excerpt from, which is a clip from a show called Shortcuts.
Which is lots of little documentaries, plays, just kind of 5-10 minute bits. And this particular one was about meatspace, which people with long memories might actually remember.
So basically there was a guy wrote a novel, I think, called Meatspace. I don't know this at all.
Him and a friend were looking into ways to promote this and they were very literal-minded people, obviously.
So they decided to get a lamb chop from their local curry house and send it up into space on a weather balloon with a camera attached.
And they had this plan that they would send it up on this weather balloon and taking a video and then figured out where it would come back down again and went to the field where it was going to come back down and it wasn't there.
And so this episode of this show details how they went about getting it back and particularly how they were basically messed with by some weird dude who kept telling them that he had their camera and he would meet them at the motorway service station outside Bridgewater, and then wouldn't show up, and then would phone them and say, oh, I'm sorry, I'm on my way home, let's go and meet in somewhere else.
And it was a very interesting story, and they eventually obviously did get it back because there's quite a famous video on YouTube of the lamb chop going from the curry house to space, which I recommend you watch.
It's like 2 minutes long.
Okay, shorter than the description.
Much shorter than description, yes. But also, my actual pick of the week was not the video, but the show about the background of how the video was retrieved from this crazy dude.
Okay, that's really cool.
Okay, that's really cool.
I'm definitely going to watch that.
Thank you very much. Yeah, that is quite something. That's going to be hard to top, to be honest, Carole, and I'm not sure you're going to be able to achieve it.
We've had two quality picks of the week, dare I say it, so far this week. Let's see what you've got. Okay, I'm a podcast junkie.
We've had two quality picks of the week, dare I say it, so far this week. Let's see what you've got. Okay, I'm a podcast junkie.
Everyone knows that. And I'm also a bit of a fan of the kind of tech-driven sci-fi stuff like Charlie Brooker's Black Mirror.
So I was thrilled that Adam Buxton recently published an interview with the Black Mirror creator, Charlie Brooker.
It's a rambly chat, and it touches on everything from playing video games to behind the scenes of Black Mirror. And yeah, they do. They chat, there's bathroom humor in there.
Yeah, you know, it's funny stuff to me, but maybe pooping is not everyone's cup of tea. There's a bit of cussing, so maybe adults only.
So I was thrilled that Adam Buxton recently published an interview with the Black Mirror creator, Charlie Brooker.
It's a rambly chat, and it touches on everything from playing video games to behind the scenes of Black Mirror. And yeah, they do. They chat, there's bathroom humor in there.
Yeah, you know, it's funny stuff to me, but maybe pooping is not everyone's cup of tea. There's a bit of cussing, so maybe adults only.
I think there's a video somewhere, isn't there, about poop being someone's cup of tea? Isn't that famous? That sounds pretty nasty.
I've never watched it myself, but it's something like one cup, two—
I've never watched it myself, but it's something like one cup, two—
Find Adam Buxton podcast on his website, episode 76, where he interviews Charlie Brooker.
Worth a listen. Sounds wonderful. Well, apart from the bit about the cup of tea, which I'm a little bit worried about, maybe we can skip past that.
Well, on that proverbial bombshell, I think we've just about wrapped it up, haven't we?
John, if people want to find out more about you or about AMTSO, what's the best way they can get in touch with you?
Well, on that proverbial bombshell, I think we've just about wrapped it up, haven't we?
John, if people want to find out more about you or about AMTSO, what's the best way they can get in touch with you?
You can reach me at . Fantastic.
And folks can follow us on Twitter @SmashingSecurity, no G, Twitter wouldn't allow us to have a G.
You can buy t-shirts and stickers and other kinds of goodies at smashingsecurity.com/store. And thanks for tuning in. If you like the show, rate us on Apple Podcasts.
Helps people find us. It's fantastic. And go to smashingsecurity.com for past episodes and for details of how to get in touch with us. Until next time, cheerio. Bye-bye. Bye everyone.
You can buy t-shirts and stickers and other kinds of goodies at smashingsecurity.com/store. And thanks for tuning in. If you like the show, rate us on Apple Podcasts.
Helps people find us. It's fantastic. And go to smashingsecurity.com for past episodes and for details of how to get in touch with us. Until next time, cheerio. Bye-bye. Bye everyone.
Bye-bye. It's a sex show.
Pirates.
Don't want any of those around here. It's recording. We have started recording.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
John Hawes
Show notes:
- Voice ID showcases latest digital development for HMRC customers
- HMRC takes 5 million taxpayers’ Voice IDs without consent – Big Brother Watch
- UK taxman has amassed voice profiles of 5.1 million taxpayers
- BBC fools HSBC voice recognition security system
- Knock down ginger — What Graham meant to say when he referred to “Postman’s knock”
- Victory! Supreme Court Says Fourth Amendment Applies to Cell Phone Tracking
- Thermostats, Locks and Lights: Digital Tools of Domestic Abuse
- Safety Net: the National Safe & Strategic Technology Project
- US Tech Safety hotlines
- UK National Domestic Violence Helpline
- Worldwide helpline directory
- Music-Map – The Tourist Map of Music
- Del Amitri
- Ron Sexsmith
- BBC Radio 4 – Short Cuts
- Tandoori Lambchop Sent to Space (Meatspace) – YouTube
- Adam Buxton podcast with Charlie Brooker
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
- Support us on Patreon!
Sponsor: VirusTotal Intelligence
VirusTotal Intelligence is one of the world’s largest malware intelligence services. Security professionals rely on it to better understand the effects of malware in enterprise networks.
Go to www.virustotal.com/learn to learn more
Follow the show:
Follow the show on Bluesky at @smashingsecurity.com, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
RSS for nerds? Podcasts = Apple Podcasts …Look a lot like a fanboie here (elite for fanboy).
Most of our downloads come from Apple Podcasts/iTunes, followed closely by PocketCasts . Our listeners are overwhelmingly iOS users (my guess is that's because Android doesn't ship with a default podcast app).
Personally I like Overcast and PocketCasts, and think Apple Podcasts is horrendous. The good news is that you can listen via any podcast app using the RSS feed, although the uninitiated may be baffled as to what they're supposed to do with it.