Fortnite players are told they’ll have to disable a security setting on Android, the FCC finally admits that it wasn’t hit by a DDoS attack, and Verizon’s VPN smallprint raises privacy concerns.
All this and much much more is discussed in the latest edition of the award-winning “Smashing Security” podcast hosted by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by David Bisson.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Let me introduce to you my pick of the week, which is—
Oh shit, shit!
I'm sorry.
Graham, the book that you bought me called The Triceratops Who Loved Me has just been soaked.
I was always expecting that to be a book which might get slightly damp. I think you'll find it does have wiped-down pages.
Smashing Security, Episode 90: Fortnite for Android and the FCC's DDoS BS with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, Episode 90.
My name is Graham Cluley.
Smashing Security, Episode 90: Fortnite for Android and the FCC's DDoS BS with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, Episode 90.
My name is Graham Cluley.
I'm Carole Theriault.
Hi, Carole.
Hello.
And we are joined this week by a returning guest. He hasn't been on the show for a while, but he's back now with a vengeance. It's security writer David Bisson. Hello, David.
Hey guys, how's it going?
Good. What are you avenging?
My honor.
Ah, did Graham take a swipe at it?
Every single day.
I know, he's outrageous. He's outrageous. Now I have something to say. I have something to say if I can use this window.
Yes, of course.
I have a happy birthday to say. This is on the day of recording rather than day of publication.
So are we doing birthday dedications for listeners of the show now? Can people write in and we'll—
Well, maybe it's not a listener.
Oh, we should do that.
Maybe it isn't a listener. Maybe it's the internet. Happy birthday, internet. Happy birthday.
Wait, the internet?
How old is the internet today?
27 years old today. I read that somewhere today.
The internet? Okay. I don't think it's older than 27 years old.
No, wait. What do you mean by the internet?
Why are you guys— The World Wide Web, of course.
Okay, that's different from the internet, Carole.
Oh.
That's a subset of the internet. The internet's been around for decades before the web was around.
Okay. Potato.
And how far are we going back here? Could we say that the adoption of TCP/IP is the first beginning of the internet?
Yeah.
Oh, what? Graham, is that a bit geeky for you?
Just a little bit nerdy there.
Oh, right. So if it's just beyond your level of knowledge, then you— Yeah.
Okay.
You snort.
So you're celebrating Tim Berners-Lee, right? Created—
Tim Berners-Lee, World Wide Web.
Sir Tim. As he is today, inventing the very first web pages.
Web pages were invented today.
Which did, of course, popularise the internet amongst—
Yes. Okay. You know what? I take your point. I was, I misspoke. Great. I'm glad I brought up the big guy.
Happy convoluted birthday.
Yeah.
Yeah.
High five, Tim.
And ever since the web was invented, there have been no security or privacy problems ever since. It's all gone very smoothly.
Smooth sailing.
Very smooth, very smooth. Many of us have worked in big companies, right? And we know that it only takes one person to make a boo-boo to allow the hackers in.
Imagine running a company, hiring new staff, and worrying that one of them might bring their bad password habits into the office. Horrendous nightmare.
That's one of the reasons why businesses small and large need a password management solution like LastPass Enterprise.
LastPass brings a vast array of features for enterprise users, including company-wide policies, reporting, user groups and roles, and new support for Microsoft Active Directory.
As an administrator, you can create highly secure passwords for your new starters right from the onset. Means no snafus.
Listeners can check it out for themselves by visiting lastpass.com/smashingsecurity. No more password snafus, no more boo-boos, just LastPass.
So guys, I think it's well established that there are various stages during the life of a man? Or a woman? You begin off fairly simply, don't you?
You begin off with wooden toys or Lego, something like that. And then maybe you get into Minecraft. Then when you're a teenager, you might get into some of those shoot-'em-up games.
And eventually you become a crazy old white guy.
Imagine running a company, hiring new staff, and worrying that one of them might bring their bad password habits into the office. Horrendous nightmare.
That's one of the reasons why businesses small and large need a password management solution like LastPass Enterprise.
LastPass brings a vast array of features for enterprise users, including company-wide policies, reporting, user groups and roles, and new support for Microsoft Active Directory.
As an administrator, you can create highly secure passwords for your new starters right from the onset. Means no snafus.
Listeners can check it out for themselves by visiting lastpass.com/smashingsecurity. No more password snafus, no more boo-boos, just LastPass.
So guys, I think it's well established that there are various stages during the life of a man? Or a woman? You begin off fairly simply, don't you?
You begin off with wooden toys or Lego, something like that. And then maybe you get into Minecraft. Then when you're a teenager, you might get into some of those shoot-'em-up games.
And eventually you become a crazy old white guy.
This is pretty stereotypical, Graham. I'm not sure it really applies to most people.
You sure?
Yeah, pretty sure.
I thought this is how it happens. Anyway, what I'm interested in today is not the crazy old white guys who eventually become president.
What I'm talking about today are the people who are teenagers who are attracted to a video game, and I wonder if either of you have heard it or indeed played it, called Fortnite.
What I'm talking about today are the people who are teenagers who are attracted to a video game, and I wonder if either of you have heard it or indeed played it, called Fortnite.
Oh yeah.
I have not. I know it by name, but that's it.
I've never played it. Have you played it, David?
No, I haven't played it, but my brother has.
So you've watched over his shoulder, presumably. How would you describe this game?
Well, you basically, as players, you parachute in there, I think upwards of 100 players, and you can build stuff, and you're in this arena where it keeps shrinking and shrinking, basically down to where you're trying to kill each other and be the last one, the last team, something along those lines.
So it's like an Arnie movie, basically. You've got a great big gun, you're trying to kill everyone, and you want to make sure that you're the last man or woman or alien standing.
But he says you build stuff too, so it's Minecraft with guns.
Right, so you can build things to climb up and to help you get up cliffs or to build barriers to prevent other people getting to you. But anyway, this is an incredibly popular game.
It's for the Switch. You can get it for your PlayStation, your Xbox, iPads, iPhones, and now Epic Games have said that they are going to distribute this for Android as well.
It's for the Switch. You can get it for your PlayStation, your Xbox, iPads, iPhones, and now Epic Games have said that they are going to distribute this for Android as well.
Okay.
But they're going to do something slightly different. They have decided not to distribute it in the official Google Play Store, which is basically the official Android marketplace.
Okay. That's really unusual for a legit company. I've never heard of that before.
And you may think, well, why would they choose not to do that? Right.
Hence my question.
And of course, the reason, Carole, comes down to money because there's a Google tax of 30%. If you sell— Shut the front door!
What?
30?
30, 3-0%, and it's a similar situation with the iOS App Store as well.
Apple and Google are making a nice chunk of change and becoming trillion-dollar companies by having some of this cash.
Apple and Google are making a nice chunk of change and becoming trillion-dollar companies by having some of this cash.
Is this just for Fortnite? Has anything like this ever happened before?
So the amount which they take is true of all apps. Now Fortnite is given away for free, right?
You can play it for free, but if you want in-game purchases, if you want to download patches and extra bits and bobs, then you have to give money for it.
You can play it for free, but if you want in-game purchases, if you want to download patches and extra bits and bobs, then you have to give money for it.
Gotcha.
So what Epic Games are saying is that if you want Fortnite on your Android, you're going to have to go to Fortnite's website and click on one of their links, and you will have to disable a recommended Android security setting, because normally Android has a setting enabled which says don't allow apps from unknown sources.
Don't allow any apps that we don't make a markup on from going onto your phone.
Oh, you are so cynical, aren't you?
Do you know what's interesting though? So Epic Games, as you say, Fortnite's very popular, right? So they're probably saying, look, people are going to come get it no matter what.
It's like the crack of games. So even if we're not in the official Android store, people are going to happily come to us and we'll get an extra 30%.
It's like the crack of games. So even if we're not in the official Android store, people are going to happily come to us and we'll get an extra 30%.
Of course.
Yeah, okay.
So they will get this benefit from it, but they are going to have to talk their users through the process of disabling this security setting.
So when you disable this security setting on Android, it pops up a message and it says, your phone and personal data are now more vulnerable to attack by apps from unknown sources.
You agree that you are solely responsible for any damage to your phone or loss of data that may result from using these apps.
So they're really trying to discourage you from sideloading apps onto your phone from unknown sources.
So when you disable this security setting on Android, it pops up a message and it says, your phone and personal data are now more vulnerable to attack by apps from unknown sources.
You agree that you are solely responsible for any damage to your phone or loss of data that may result from using these apps.
So they're really trying to discourage you from sideloading apps onto your phone from unknown sources.
I got you.
I got you.
But how much would it cost to get a usability engineer, right?
It's going to cost less than 30% cut of the sales to hire someone to manage that whole onboarding process of getting them to change the config option and then putting it back on afterwards once they've installed the app.
It's going to cost less than 30% cut of the sales to hire someone to manage that whole onboarding process of getting them to change the config option and then putting it back on afterwards once they've installed the app.
Oh yes, but imagine you're snotty little Norris, right? You're a 12-year-old. You've finally downloaded Fortnite onto your Android and you've disabled unknown sources.
You are going to leap headlong into that game. You're not going to be thinking that much about re-enabling that security setting, are you? Because you want to get on with it.
You are going to leap headlong into that game. You're not going to be thinking that much about re-enabling that security setting, are you? Because you want to get on with it.
And I think it leaves it wide open to phishing attacks where it's like, oh, you get an email from Fortnite, here, go to this website, you just clone it and it's something completely different, right?
Or imagine an IDN homograph attack where you think you're on the Fortnite website, in fact the O is some bizarre language O which looks just like the letter O, or the R is different, and so it looks like the genuine site.
So yeah, there's no doubt that there will be attempts to trick people into downloading illegitimate versions of Fortnite.
Now I can kind of understand Epic Games' point of view because what frankly are Google adding?
They're adding the ability to reach a huge audience, but they're probably thinking we've got that anyway, because it's Fortnite.
So yeah, there's no doubt that there will be attempts to trick people into downloading illegitimate versions of Fortnite.
Now I can kind of understand Epic Games' point of view because what frankly are Google adding?
They're adding the ability to reach a huge audience, but they're probably thinking we've got that anyway, because it's Fortnite.
Right.
Yeah, yeah.
But well, it'll be interesting to watch what happens, you know?
I think it's an— I mean, also it may force others to think maybe we'll think that way and it'll maybe force Google to go, look, maybe our tax is a bit high, right?
Because 30%, I don't know.
I think it's an— I mean, also it may force others to think maybe we'll think that way and it'll maybe force Google to go, look, maybe our tax is a bit high, right?
Because 30%, I don't know.
You know, they don't say don't be evil anymore, don't they?
I know.
I know.
I know.
Because, you know, these are commercial companies, right? Google and Apple. Apple's now a trillion-dollar company. So these companies are unbelievably huge.
I think that this sets a bad precedent. I can understand their reasons for doing it, but I do worry that this will create a more laissez-faire attitude.
As to whether it's wise to install apps regardless of their sourcing future. And you have to remember as well, what about updates?
If you're getting an app from the official app store, then the whole updating system—
I think that this sets a bad precedent. I can understand their reasons for doing it, but I do worry that this will create a more laissez-faire attitude.
As to whether it's wise to install apps regardless of their sourcing future. And you have to remember as well, what about updates?
If you're getting an app from the official app store, then the whole updating system—
Yeah, that's true.
—is well set up as well and automatic. And in-game purchases are going to be more complicated because you're not going to be making them the regular way through the app store.
You're going to have to be making them some other way. So there's all kinds of manner of chance of this going wrong.
And I would bet my bottom dollar that although Google hasn't been perfect in policing its app store and malicious software has got in there in the past, they will be better at security than Epic.
And what a target Epic Games are now going to be for someone to try and infect one of their updates.
You're going to have to be making them some other way. So there's all kinds of manner of chance of this going wrong.
And I would bet my bottom dollar that although Google hasn't been perfect in policing its app store and malicious software has got in there in the past, they will be better at security than Epic.
And what a target Epic Games are now going to be for someone to try and infect one of their updates.
As you lose sleep over this, clearly, I am going to eat popcorn at not being a Fortnite or an Android user and just see what happens.
Well, there's one interesting thing.
Tim Sweeney, the founder of Fortnite company, has been saying, look, if you're running the latest version of Android called Oreo, then the interface will be slightly different.
It will have a couple of security questions, but you won't have to manually disable this particular feature. Now the thing is, Oreo came out a year ago. It came out in August 2017.
How many Android devices as a percentage do you think are actually using it?
Tim Sweeney, the founder of Fortnite company, has been saying, look, if you're running the latest version of Android called Oreo, then the interface will be slightly different.
It will have a couple of security questions, but you won't have to manually disable this particular feature. Now the thing is, Oreo came out a year ago. It came out in August 2017.
How many Android devices as a percentage do you think are actually using it?
Probably less than 10.
Yeah, well, you've ruined it for me. It's 12%. So it's actually been a year.
It's only been a year.
What do you mean it's only been a year.
If you compare that to Apple with iOS, iOS so much more quickly gets out onto all of those devices, and Android has always had this terrible experience, particularly for the non-Google manufactured devices, of distributing updates.
So Oreo has been around for a year. Oh, around about 1 in 10 Android devices are actually running it.
There is actually a brand new version of Android come out this week, Android version 9, also known as Android Pie, which has a number of new security features, but you're only likely to get that for now if you're running one of Google's own Pixel devices.
Yeah. There is a problem with Android security updates.
It has got better, but it's by no means as good as Apple, and once again, I'm very uncomfortable with this whole idea of disabling any security functionality on Android just in order to play a game.
If you compare that to Apple with iOS, iOS so much more quickly gets out onto all of those devices, and Android has always had this terrible experience, particularly for the non-Google manufactured devices, of distributing updates.
So Oreo has been around for a year. Oh, around about 1 in 10 Android devices are actually running it.
There is actually a brand new version of Android come out this week, Android version 9, also known as Android Pie, which has a number of new security features, but you're only likely to get that for now if you're running one of Google's own Pixel devices.
Yeah. There is a problem with Android security updates.
It has got better, but it's by no means as good as Apple, and once again, I'm very uncomfortable with this whole idea of disabling any security functionality on Android just in order to play a game.
Maybe you need looser underpants or something.
My underpants— can I say, Carole, it's very hot here in England at the moment, and my underpants are pretty billowing. Can we just go to the next story?
I have maximized the wafting in order to keep everything cool.
I have maximized the wafting in order to keep everything cool.
It's not that kind of show.
David, what have you got for us this week?
All right. Well, I saw a story about a service called SafeWiFi, basically a VPN that Verizon is coming out with.
It creates secure web connections in public places like hotels and coffee shops and those kinds of things.
If you go to the website, it says it uses bank-grade encryption technology as well as includes an ad tracker blocker where it can prevent advertisers from tracking users' activity and serving up targeted ads.
So really good stuff. You want to have something that, especially if you're going on a public Wi-Fi.
But there's a problem because if you look into SafeWiFi itself and start poking around the website, you can't find any current privacy policy for the service.
If you go into the terms and conditions, there is a privacy and security section.
Instead of a unique privacy policy, it basically just includes a link to McAfee's privacy notice and has a link then to McAfee's website.
It creates secure web connections in public places like hotels and coffee shops and those kinds of things.
If you go to the website, it says it uses bank-grade encryption technology as well as includes an ad tracker blocker where it can prevent advertisers from tracking users' activity and serving up targeted ads.
So really good stuff. You want to have something that, especially if you're going on a public Wi-Fi.
But there's a problem because if you look into SafeWiFi itself and start poking around the website, you can't find any current privacy policy for the service.
If you go into the terms and conditions, there is a privacy and security section.
Instead of a unique privacy policy, it basically just includes a link to McAfee's privacy notice and has a link then to McAfee's website.
Oh, is McAfee providing the technology for Verizon's SafeWiFi VPN?
They're working together to create this.
So it's engine and skin or something.
Something along those lines. But that's where it gets troublesome because included then in that privacy notice are things that you wouldn't ever want to see with a VPN service.
So for instance, it says that McAfee can collect things like contact information, payment data, and account login credentials, which may include social network details.
And then it goes on saying that we may also collect other information like what products you purchase, demographic information, photographs, these kinds of things.
So for instance, it says that McAfee can collect things like contact information, payment data, and account login credentials, which may include social network details.
And then it goes on saying that we may also collect other information like what products you purchase, demographic information, photographs, these kinds of things.
It's wonderful, isn't it, when one of the leaders of cybersecurity is out there actually taking information and saying it's legal by putting it in the small Ts and Cs.
Why would they want to know what product? Well, I can imagine why they want to know what products you purchased, but this is just them shooting themselves in the foot, isn't it?
Yeah, it seems that way. I mean, with collecting some of the information, I can understand.
Of course, tracking what products you buy and demographic information, they could probably do threat analysis.
But the funniest thing that I saw and how they use that information is this little section that says, in order to keep these products free, we may use information collected through them basically to allow McAfee and others to show you ads that are targeted to your interests.
But hang on, it says on the website that the VPN includes an ad tracker blocker.
But you go to McAfee's privacy policy notice, and it says McAfee does just that, what it's not supposed to do.
Of course, tracking what products you buy and demographic information, they could probably do threat analysis.
But the funniest thing that I saw and how they use that information is this little section that says, in order to keep these products free, we may use information collected through them basically to allow McAfee and others to show you ads that are targeted to your interests.
But hang on, it says on the website that the VPN includes an ad tracker blocker.
But you go to McAfee's privacy policy notice, and it says McAfee does just that, what it's not supposed to do.
So it sounds like their plan is, yes, they are going to block ads, but they're going to introduce their own. They're going to replace ads with ones from McAfee's own people.
With our own branding.
They're probably going to call it branding. Someone not knowing that this privacy notice redirect is temporary would think that.
Basically, a Verizon spokesperson came out to Motherboard and said, "We are working with McAfee to post our specific privacy policy to address SafeWiFi," and said that the service won't collect any personal information, which is fine, but we're talking about Verizon, and we all know what Verizon has done in the past with zombie cookies and all those kinds of things.
So can you really trust them at this point that they're going to follow through and act on good faith?
I mean, honestly, I wouldn't go with SafeWiFi right now until you can click on that privacy and security section and see a specific privacy policy and make sure that there's not anything remotely suspicious about logging or collecting data.
Basically, a Verizon spokesperson came out to Motherboard and said, "We are working with McAfee to post our specific privacy policy to address SafeWiFi," and said that the service won't collect any personal information, which is fine, but we're talking about Verizon, and we all know what Verizon has done in the past with zombie cookies and all those kinds of things.
So can you really trust them at this point that they're going to follow through and act on good faith?
I mean, honestly, I wouldn't go with SafeWiFi right now until you can click on that privacy and security section and see a specific privacy policy and make sure that there's not anything remotely suspicious about logging or collecting data.
But the terrible thing is lots of people who are maybe waking up to the dangers of privacy or unsecured Wi-Fi will think, oh, this is fantastic. Verizon are giving this to us.
We should be able to trust them. And Verizon is working with McAfee.
We should be able to trust them. And Verizon is working with McAfee.
And McAfee's a known security company, so that might even lend you extra trust.
Oh, I'm sure. I'm sure. All the more reason why this is unacceptable. Why would you launch a service? It's not cool, is it?
It's definitely not cool.
So it might be— okay, I'm going to be devil's advocate. Because I don't live in America.
We don't really have Verizon over here as far as I know, but clearly it's got a bad reputation over in North America for various things.
It might be that this has been done with the best intentions and that they just haven't crossed all the T's and dotted all the I's and got their privacy policy together.
Maybe they're not actually going to do all the things which this privacy policy allows them to do.
We don't really have Verizon over here as far as I know, but clearly it's got a bad reputation over in North America for various things.
It might be that this has been done with the best intentions and that they just haven't crossed all the T's and dotted all the I's and got their privacy policy together.
Maybe they're not actually going to do all the things which this privacy policy allows them to do.
But without having their own privacy agreement, that's a big oversight because, you know, GDPR, who collects information and who processes information and how that works, you both share responsibility.
So they can't just lean on McAfee and say, oh, it's all you guys.
So they can't just lean on McAfee and say, oh, it's all you guys.
Yeah, and optics are so important with anything with privacy, and especially if you're Verizon. It's like, you know you've run into trouble in the past.
If I were them, I'd be showing up, it's like, this is what we're doing, this is what we're not doing, and you really, to appeal to the customer's ease of mind.
If I were them, I'd be showing up, it's like, this is what we're doing, this is what we're not doing, and you really, to appeal to the customer's ease of mind.
I'm looking at the policy right now, and it doesn't just say products you purchase and demographic information.
Photographs and videos, biometric data such as fingerprints or voice prints.
Photographs and videos, biometric data such as fingerprints or voice prints.
Jeez! It's a nightmare. And this is from— this is in McAfee's privacy agreement.
I think people, you know, you almost want to say maybe go check your other McAfee product privacy agreements that you may have signed.
I think people, you know, you almost want to say maybe go check your other McAfee product privacy agreements that you may have signed.
Just to be clear, this is McAfee the company. This isn't John McAfee. If it was John McAfee, maybe I'd understand this.
Now, you know, it's very interesting that you've been talking about Verizon. I'm going to be talking about Verizon.
Oh, segue.
Tell us what your topic is this week.
As you may have heard, the FCC has finally admitted that the distributed denial of service attack that supposedly brought down its commenting system was a big fat lie. About time.
Yeah, since last spring, many have accused the FCC of faking a cyberattack as the reason its commenting system went offline.
And this whole commenting snafu all stems from the net neutrality bill. So just a quick refresher. Net neutrality was the Title II order turned into law under Obama.
And the whole idea is to give equal footing to all internet services.
So this means that ISPs can't throttle your speeds or deny you access to certain services and apps if they weren't gonna do it for everybody else.
Almost everyone except the ISPs thought this was a good idea. They were all pro-net neutrality.
Yeah, since last spring, many have accused the FCC of faking a cyberattack as the reason its commenting system went offline.
And this whole commenting snafu all stems from the net neutrality bill. So just a quick refresher. Net neutrality was the Title II order turned into law under Obama.
And the whole idea is to give equal footing to all internet services.
So this means that ISPs can't throttle your speeds or deny you access to certain services and apps if they weren't gonna do it for everybody else.
Almost everyone except the ISPs thought this was a good idea. They were all pro-net neutrality.
Can I predict right now that whatever goes wrong is all going to be Obama and Hillary's fault?
Okay, watch this space.
A lot of things going wrong now apparently are all their fault.
Okay, you take a little nap and when you hear the word Obama, you can go away. Okay, okay. So when Trump lucked into power, right, he appointed ex-Verizon chief Ajit Pai.
Oh, there you go. Hey. As head honcho of the FCC. And one of Ajit Pai's first focuses was to kill the net neutrality bill. Get it repealed. Right.
Now, despite a significant backlash, I'm sure you guys remember, from internet giants like Apple and Google and Reddit and millions of individual users voicing concern, the FCC pulled it off and net neutrality was officially repealed in June of this year.
Yeah. Now, as you can imagine, not many are happy about this, or rather, there's a lot of people that are unhappy about this.
They're pointing the finger at the FCC for having failed to act in good faith throughout this process. Now, this is where we come back to the whole commenting system DDoS BS.
See what I did there? DDoS BS. We can maybe use that in the title. Yeah. So in May 2017, the FCC system was overwhelmed with comments.
And this happened immediately after comedian John Oliver, host of HBO's Last Week Tonight, made an appropriately huge stink about net neutrality and then asked his millions of viewers to flood the agency with comments supporting net neutrality.
Oh, there you go. Hey. As head honcho of the FCC. And one of Ajit Pai's first focuses was to kill the net neutrality bill. Get it repealed. Right.
Now, despite a significant backlash, I'm sure you guys remember, from internet giants like Apple and Google and Reddit and millions of individual users voicing concern, the FCC pulled it off and net neutrality was officially repealed in June of this year.
Yeah. Now, as you can imagine, not many are happy about this, or rather, there's a lot of people that are unhappy about this.
They're pointing the finger at the FCC for having failed to act in good faith throughout this process. Now, this is where we come back to the whole commenting system DDoS BS.
See what I did there? DDoS BS. We can maybe use that in the title. Yeah. So in May 2017, the FCC system was overwhelmed with comments.
And this happened immediately after comedian John Oliver, host of HBO's Last Week Tonight, made an appropriately huge stink about net neutrality and then asked his millions of viewers to flood the agency with comments supporting net neutrality.
I remember, yeah.
Very soon after, the FCC said the commenting system had been deliberately impaired due to a series of distributed denial of service attacks. Hmm.
Rather than lots of people leaving comments saying, this is rubbish, don't do this. Right.
So net neutrality supporters smelled a rat, asking for proof of the DDoS, and none came. Turns out the FCC had been faking this DDoS attack since May of last year.
And only this past Monday of this week, the FCC has finally admitted that they were full of hooey. Now, this is where it gets annoying.
The chairman, Ajit Pai, was quick to blame the former chief information officer, not by name, but I think it's safe to say it was David Bray.
And only this past Monday of this week, the FCC has finally admitted that they were full of hooey. Now, this is where it gets annoying.
The chairman, Ajit Pai, was quick to blame the former chief information officer, not by name, but I think it's safe to say it was David Bray.
Oh, I thought you're going to say it was Barack Obama.
And he blamed the Obama administration. Oh, there he is.
Yep, yep, there it is.
Hey, for providing, quote, inaccurate information about this incident to me, my office, Congress, and to the American people, unquote. Now, gee, don't you wish he was your boss?
I mean, when push comes to shove and the proverbial hits the fan, the boss blames you publicly. So nice. Yeah.
Now, the problem is that he had more than a year to come clean and admit this was a system failure and not an attack. So why the delay? Why was that happening?
Well, could it be perhaps that the reason they were faking the cyber attack was because they wanted to avoid a huge media scandal about the lack of resiliency in their systems.
After all, the FCC had just spent $3 million overhauling the whole system.
And they had done this after the first time John Oliver incited his viewers to leave pro-net neutrality comments on the FCC website. This happened two years earlier in 2015.
I mean, when push comes to shove and the proverbial hits the fan, the boss blames you publicly. So nice. Yeah.
Now, the problem is that he had more than a year to come clean and admit this was a system failure and not an attack. So why the delay? Why was that happening?
Well, could it be perhaps that the reason they were faking the cyber attack was because they wanted to avoid a huge media scandal about the lack of resiliency in their systems.
After all, the FCC had just spent $3 million overhauling the whole system.
And they had done this after the first time John Oliver incited his viewers to leave pro-net neutrality comments on the FCC website. This happened two years earlier in 2015.
Okay, so John Oliver had done this trick before, the FCC's website had been flooded, the FCC spent millions of dollars fixing the system. And then it broke again.
And out of embarrassment, they said, "Ah, DDoS attack, you know, bad guys attacking our website." All right, okay. Huh.
And out of embarrassment, they said, "Ah, DDoS attack, you know, bad guys attacking our website." All right, okay. Huh.
So exactly twice, John Oliver got viewers to overwhelm the commenting system, once in 2015 and once in 2017.
And between those two instances, the FCC spent $3 million overhauling the lagging, archaic system presumably to improve resiliency, which it clearly failed to do.
And as you say, I think they were embarrassed that it screwed up its overhaul and then it fell over at the hands of John Oliver, a comedian.
So maybe better to say it'd been DDoSed than to fess up. Anyway, this is not even the only problem with the commenting system.
There was also the problem of people finding out that their identities were being falsely used. Remember this?
An estimated 2 million pro-appeal commenters found to be fake, including those of two senators.
So Senator Geoff Merkley, Democrat of Oregon, and Pat Toomey, Republican of Pennsylvania, were among the victims.
And between those two instances, the FCC spent $3 million overhauling the lagging, archaic system presumably to improve resiliency, which it clearly failed to do.
And as you say, I think they were embarrassed that it screwed up its overhaul and then it fell over at the hands of John Oliver, a comedian.
So maybe better to say it'd been DDoSed than to fess up. Anyway, this is not even the only problem with the commenting system.
There was also the problem of people finding out that their identities were being falsely used. Remember this?
An estimated 2 million pro-appeal commenters found to be fake, including those of two senators.
So Senator Geoff Merkley, Democrat of Oregon, and Pat Toomey, Republican of Pennsylvania, were among the victims.
Oh, so these were people who said, "We don't want net neutrality." Well, hadn't said anything necessarily, right?
These are people that either certainly supported net neutrality, and that's why they noticed their names on the commenting page.
And I guess those people weren't the ones who responded to John Oliver's calls. I mean, couldn't that be the DDoS attack?
No, no, I don't think they're trying to tie them.
I think this is, what this is showing is that basically the FCC cannot tell the difference and cannot identify a real comment from a fake comment or one from a bot.
Now, one of the things they're planning to do is add a CAPTCHA system to try and stop bots from being able to post comments, but that doesn't stop an individual pretending or forging someone else's identity in order to leave a comment.
I think this is, what this is showing is that basically the FCC cannot tell the difference and cannot identify a real comment from a fake comment or one from a bot.
Now, one of the things they're planning to do is add a CAPTCHA system to try and stop bots from being able to post comments, but that doesn't stop an individual pretending or forging someone else's identity in order to leave a comment.
Right. All I can be sure of is none of this is Chairman Ajit Pai's fault. Absolutely, it's nothing to do with him.
I think we need to underline that even though he's in charge of the entire organization, I don't think we should think the buck stops with him.
I think we need to underline that even though he's in charge of the entire organization, I don't think we should think the buck stops with him.
Well, I'm surprised he didn't blame John Oliver in his speech this morning instead of Obama and his CIO.
I think he's afraid if he blames John Oliver, then John Oliver will come on, do his whole show about Ajit Pai, and then it happened again.
I think if you blame John Oliver and if you ripped off John Oliver's mask in Scooby-Doo, underneath would probably be Hillary Clinton. Yeah, yeah, exactly.
Do you really also want to declare war on late-night comics?
I mean, they're gonna be faster to the post than you are.
Hi Graham. Hey Carole.
I have a question for you.
Okay.
Do you have a password manager?
Yes, of course I've got a password manager. Do you?
Yes, I do. And do you honestly, honestly think that all companies should have a password manager?
Oh, absolutely. Absolutely. I totally agree. If you don't have one of those, your employees are going to make some terrible password decisions, and hackers may be able to break in.
And an enterprise-grade password management solution, the one from LastPass for instance, will have support for Microsoft Active Directory and funky functions to make it even easier to secure your business.
And an enterprise-grade password management solution, the one from LastPass for instance, will have support for Microsoft Active Directory and funky functions to make it even easier to secure your business.
Okay, I think you've passed my test. Listeners can check out LastPass Enterprise for themselves by visiting lastpass.com/smashing.
And welcome back. Can you join us on our favorite part of the show? The part of the show that we call Pick of the Week.
Pick of the Week.
Wow.
Well, you guys were so enthusiastic. I thought I'd just take it down, you know. Let's get real about what is the Pick of the Week.
Excellent. Okay.
Let's get down, Graham. Let's go.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, podcast, a website, or an app. Whatever they love.
Could be a funny story, a book that they've read, a TV show, a movie, a record, podcast, a website, or an app. Whatever they love.
It's getting faster, you know.
Doesn't have to be security related necessarily.
Definitely should not be security related.
Now, many of us have got Netflix or Amazon Prime at home these days. Don't we? Oh yeah. It's the normal way to watch television these days, really, isn't it?
Streaming rather than watching live TV.
Streaming rather than watching live TV.
Yeah. Do you guys even have cable anymore?
Yes, I think there is cable. I've never actually had cable in my life.
Most people in Britain never had cable.
Yeah. We were happy with 4 channels before Channel 5 came along. Yes. And digital. We really were.
So we never really had it. But yes, we have the internet now, you'll be pleased to hear. And the World Wide Web.
And the World Wide Web, which of course, as we've discussed, is a part of the internet.
And anyway, there's a problem with Netflix and Amazon Prime, that is that there's too much content. Thousands of movies and TV shows for you to check out.
How are you going to decide what to watch?
You know, it's a nightmare drilling into these things, and the sites themselves aren't always the best at bubbling up the most interesting films or TV shows.
Well, let me introduce to you my pick of the week, which is—
And the World Wide Web, which of course, as we've discussed, is a part of the internet.
And anyway, there's a problem with Netflix and Amazon Prime, that is that there's too much content. Thousands of movies and TV shows for you to check out.
How are you going to decide what to watch?
You know, it's a nightmare drilling into these things, and the sites themselves aren't always the best at bubbling up the most interesting films or TV shows.
Well, let me introduce to you my pick of the week, which is—
Oh, oh, shit, shit. I'm sorry, Graham. The book that you bought me called The Triceratops Who Loved Me has just been soaked.
It's called The Primal Urges Extreme Fantasy by Gloria Screams.
It's called The Primal Urges Extreme Fantasy by Gloria Screams.
What?
I was always expecting that to be a book which might get slightly damp. I think you'll find it does have— it does have wiped-down pages.
I did laminate it as a coaster.
The Triceratops who loved me.
I haven't yet, I haven't yet dived into its pages. Okay. Anyway. Apologies.
No problem. Back to Pick of the Week. So the sites themselves aren't always the best at bubbling up interesting films or TV shows.
And that is why I would suggest that you check out a website called agoodmovietowatch.com. Okay, I'm going to go look. Go check it out.
Because what goodmovietowatch.com allows you to do is you can choose your genre. You can tell it which part of the world you're in. So which Netflix, for instance, you watch.
And you can say, oh, tell me about the interesting documentaries. Tell me about this. And you will find, most likely, some TV shows or movies that you weren't previously aware of.
And that is why I would suggest that you check out a website called agoodmovietowatch.com. Okay, I'm going to go look. Go check it out.
Because what goodmovietowatch.com allows you to do is you can choose your genre. You can tell it which part of the world you're in. So which Netflix, for instance, you watch.
And you can say, oh, tell me about the interesting documentaries. Tell me about this. And you will find, most likely, some TV shows or movies that you weren't previously aware of.
I'm going to choose sincere as my mood. Yes, you can choose moods. Okay. Yeah, it's pretty, it's pretty specific. I'll choose humility.
Yeah. And there you go. So I think this could be quite fun. So I'm going to be trying out agoodmovietowatch.com and I hope our listeners too. And that is why it is my pick of the week.
Very cool. Excellent. And my pick of the week is not The Triceratops Who Loved Me.
Very cool. Excellent. And my pick of the week is not The Triceratops Who Loved Me.
What would be my mood if that was the kind of movie I was hoping to watch? That's why I went to the movie bit and charming?
Dark? Weird? There's an element of dark. Well, weird for sure. And thought-provoking. What's wrong with Carole?
I would think the triceratops who loved me would be slightly horny as well. Bum bum. Oh dear.
Would that also include gripping?
Oh God. Please move on. I'm so glad it's not. David, what's your pick of the week?
Okay, well, Graham, I know you like a little game called Overcooked.
Oh yes, it's wonderful.
Yeah, you've talked about this on the show before, haven't you?
Yes, I have.
Yeah, so for anyone who hasn't heard of it, it's a really fun video game where up to 4 players can basically play as chefs in some really zany cooking situations. It's a lot of fun.
If you haven't tried it, definitely go out.
I just played it again this weekend where a few of my friends, we went for a bike ride, got milkshakes, you know, real bonding stuff to bring us together to get into the zone of getting this kitchen functioning.
But as soon as we turn on the game, we're all yelling at each other and laughing. All the counters are on fire. You know, it's just—
If you haven't tried it, definitely go out.
I just played it again this weekend where a few of my friends, we went for a bike ride, got milkshakes, you know, real bonding stuff to bring us together to get into the zone of getting this kitchen functioning.
But as soon as we turn on the game, we're all yelling at each other and laughing. All the counters are on fire. You know, it's just—
In the game. In the game.
Right. Okay. Yes. Not in the real kitchen. So moral of the story with this, sometimes less is more with cooks in the shop.
It's amazing how many of us have an inner Gordon Ramsay, which comes out when playing a game like this and you start swearing at each other.
Calling everyone, "You stupid idiot." I think just bike rides and a milkshake should be your pick of the week. That sounds great.
I mean, that's a pick of the week for every week. I mean, that goes without saying.
I haven't had a milkshake in ages.
Well, you should go and have one. This pick of the week isn't about Overcooked, but it's about its sequel Overcooked 2, which drops on recording day.
So the World Wide Web's birthday.
Yeah. So it's going to be available, I think, first for Nintendo Switch, but then it's going to go out to all the other platforms. So highly recommend you try this next one.
A whole lot more recipes. I think there's cake in there. So it's oh, I love— there's cake. And definitely play it with some friends.
But I'd recommend that you have a cup of tea on standby for afterward. You'll need it to decompress.
A whole lot more recipes. I think there's cake in there. So it's oh, I love— there's cake. And definitely play it with some friends.
But I'd recommend that you have a cup of tea on standby for afterward. You'll need it to decompress.
But be careful where you balance that cup of tea because it's quite an energetic game. We already found out Carole can be quite a klutz. Yes, you can get copies of this book.
They normally make great coasters.
So that should be your pick of the week.
Well, good one. Overcooked certainly is a great game, and I look forward to Overcooked 2 as well. It really is hilarious fun. Carole, what's your pick of the week?
Well, my pick of the week is a BBC article, and it's an overview of why Winnie the Pooh, the new film, has been banned in China. Have either of you read this?
No, I think I know what this is about. So then you stay stum. Yes, I will.
This all has to do with Chinese leader Xi Jinping being compared to the beloved bear.
Now, if you go to my link that I've provided, you can see that the comparisons began in 2013 with an image of Xi Jinping walking with President Obama, and it was posted alongside a picture of Pooh walking next to Tigger.
Do you see how their body language between the pictures are identical?
Now, if you go to my link that I've provided, you can see that the comparisons began in 2013 with an image of Xi Jinping walking with President Obama, and it was posted alongside a picture of Pooh walking next to Tigger.
Do you see how their body language between the pictures are identical?
Uncanny, isn't it?
And then in 2014, there's a picture of Xi Jinping shaking hands with Japanese Prime Minister. And you will see that they put it alongside a picture of Pooh with Eeyore.
And again, the body languages and even the facial expressions are identical.
And again, the body languages and even the facial expressions are identical.
And it's so strange because this is years before Eeyore launched his presidential bid, of course.
Well, now, just to make this come full circle, our old friend John Oliver has also been censored after he criticized Xi Jinping in China.
But in the roast, he also mentioned the president's sensitivity to being compared to the Pooh Bear.
Now, it's just worth reading the article because it's very cute how similar they look. But I just don't get why anyone wouldn't want to be compared to Pooh. I think it's an honor.
But in the roast, he also mentioned the president's sensitivity to being compared to the Pooh Bear.
Now, it's just worth reading the article because it's very cute how similar they look. But I just don't get why anyone wouldn't want to be compared to Pooh. I think it's an honor.
Well, I wouldn't want to be compared to Pooh, but I'd want to be compared to Winnie the Pooh. Winnie the Pooh.
Yes, because he's the most— well, other than Piglet, is the most adorable thing in the world, isn't he? Why wouldn't you want to be?
Yes, because he's the most— well, other than Piglet, is the most adorable thing in the world, isn't he? Why wouldn't you want to be?
He's a dude, so I just don't get it.
Anyway, he's not a dude. Winnie the Pooh may be many things, but he's not a dude. No, he's not.
Well, vote, vote, vote on Twitter. I think I'm gonna win this one.
We're gonna do a Twitter poll, right? Okay, is Winnie the Pooh a dude or not? All right, okay. Well, Carole, we will check out the article.
Thank you for that pick of the week, and thank you, David, as well for joining us on the show today.
If people want to find out more about you, how should they follow you on the interwebs?
Thank you for that pick of the week, and thank you, David, as well for joining us on the show today.
If people want to find out more about you, how should they follow you on the interwebs?
I'm everywhere on the web. You can find me on Twitter @dmbisson. I'm also on Facebook and LinkedIn. You just look up my name and I'm there.
Basically, you're saying Google me.
Exactly. Duck Duck Go him. StartPage him. Yeah. And if you want to follow us on Twitter, we're @SmashingSecurity. No G. Twitter wouldn't allow us to have a G.
And if you want to get some t-shirts or some mugs or some stickers, you go to the Smashing Security store at smashingsecurity.com/store.
And you can leave a review on Apple Podcasts if you like the show. It really does help new listeners discover us. Until next time, thanks very much for listening. Cheerio. Bye-bye.
And if you want to get some t-shirts or some mugs or some stickers, you go to the Smashing Security store at smashingsecurity.com/store.
And you can leave a review on Apple Podcasts if you like the show. It really does help new listeners discover us. Until next time, thanks very much for listening. Cheerio. Bye-bye.
Toodles. Thanks. Bye.
I think that went quite well.
Good luck editing.
I'm sorry. It was brilliant, I'm just annoyed we can't use it.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
David Bisson – @DMBisson
Show notes:
- You'll have to disable a recommended Android security setting to install Fortnite
- Fortnite is putting users at risk, to prove a point about Google's Android monopoly
- Introducing Android 9 Pie
- Safe-WiFi Wireless Private Network – Verizon Wireless
- Verizon Didn’t Bother to Write a Privacy Policy for its ‘Privacy Protecting’ VPN
- Terms of Service for the Verizon Safe Wi Fi App
- McAfee Privacy Notice
- Verizon customers can sue ad company over “zombie” cookies, judges rule
- Ajit Pai blames Obama administration over FCC DDoS attack that didn't happen
- Inside the FCC's risky IT overhaul
- The Triceratops Who Loved Me: A Primal Urges Extreme Fantasy – Amazon
- A Good Movie To Watch
- Overcooked! 2 for Nintendo Switch
- Christopher Robin: Winnie the Pooh film denied release in China
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
- Support us on Patreon!
Sponsor: LastPass
LastPass Enterprise makes password security effortless for your organization.
LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses
Follow the show:
Follow the show on Bluesky at @smashingsecurity.com, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
The approach to distributing Fortnite is not unique – the free trial of generative music app Wotja X can be downloaded from Google Play, but the full version must be purchased from Amazon's app store (probably as a result the free version has just 100+ installs, while the paid version is ranked #21,478 on Amazon and has no reviews – though I doubt Fortnite's approach will similarly kill their app for the reasons you mentioned).
It's understandable that developers wouldn't want to pay Google's substantial cut – but for the convenience, app updates, security (not perfect obviously, but at least comfortable to users), promotion opportunities, and visibility to the user base, they at least get a certain value for their money. Again, Fortnite will likely succeed regardless – but more niche apps/developers would probably be wise not to treat this as some kind of precedent.