Who deserves to die in a driverless car crash? Who has been sniffing around the Girl Scouts’ email account? And just how long would it take for a geologist to visit 9,000 adult web pages?
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by journalist and “Friends” fan Dan Raywood.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Even last year, 2017, a Washington TV station reported that around 100 federal government employees admitted to viewing copious amounts of pornography while on the job.
While on the job.
On the job.
Oh God, oh no, I just repeated it. Smashing Security, episode 102: Ethical Dilemmas: Girl Scouts and Porn Lore.
Ransomware-loving US officials with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 102. My name is Graham Cluley.
Ransomware-loving US officials with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 102. My name is Graham Cluley.
I'm Carole Theriault. I love the sound of 102. I think that sounds— yeah, I don't know why. It just sounds really cool, like we've made it now.
Yeah, yeah, exactly.
We've arrived.
We can just stop now, I think. And that's the end of today. No, no, no, we've got a special guest, haven't we?
We do.
We can't stop the show before we've introduced him. Special guest this week is Dan Raywood, new to the show. Hello, Dan.
Hello, Graham. Hello, Carole Theriault.
Hello.
Hello. Nice to be here. Once I've made 3 figures, you get the proper guests in. I can see that.
Smashing Security virgin.
We've just been practicing, Dan, so that we're ready for you. Now, Dan, if anyone doesn't know, and why don't you know, Dan is a journalist who's been covering cybersecurity.
You currently work for Infosecurity magazine, but you cut your teeth, was it on Conficker and things like that?
You currently work for Infosecurity magazine, but you cut your teeth, was it on Conficker and things like that?
Yeah, I joined SC magazine back in late '08. That rhymes, doesn't it? And I was there 5 years. So in that time I was there Conficker, that was about May '09.
Let me see, what else did we get? Flame, that was there also. Stuxnet, that was there. ICO Fines, they came around.
Let me see, what else did we get? Flame, that was there also. Stuxnet, that was there. ICO Fines, they came around.
Not all of these were because of you though, right? They didn't introduce ICO Fines because you joined the company, SC Magazine.
Oh, ICO Fines. I was thinking it was the name of a virus. I'm like, I don't know that one.
Oh yeah, that's another one.
Maybe you're mixing up with Ralph Fiennes.
No, that happened when I was there. So yeah, it was full of good news and the party years. Absolutely. Yeah, they were the party years. No, that's a serious yes. Yeah.
Do you miss the old days? Were viruses and malware, was it more exciting 10 years ago than it is now?
I'll tell you what I do. I listened to the episode you did with David M. and I've actually asked David M. the question, are we at the stage now where we've found all the viruses?
Because we used to see all those viruses come out of people like Kaspersky Lab. Yeah. And obviously from Sophos and Graham and we talked about this in the past.
Because we used to see all those viruses come out of people like Kaspersky Lab. Yeah. And obviously from Sophos and Graham and we talked about this in the past.
Not directly from Kaspersky Lab or Sophos. Before we get sued.
No, no, sorry. No.
Smashing Security.
Smashing Security is this week sponsored by the marvelous folks at LastPass.
LastPass allows you to protect all of your passwords across all of your devices, whether they be laptops, desktops, or smartphones.
And if you're an enterprise, you should really run a password manager as well, because you can defend your employees and put in place password best practices.
Make sure to give them a try. Visit lastpass.com/smashing, and thanks to LastPass for supporting the show.
On with the show, because today I want to talk to you about the latest developments with autonomous self-driving cars.
Did you chaps know that self-driving cars are being taught not only how to drive, obviously, but also how to tackle tricky moral dilemmas?
LastPass allows you to protect all of your passwords across all of your devices, whether they be laptops, desktops, or smartphones.
And if you're an enterprise, you should really run a password manager as well, because you can defend your employees and put in place password best practices.
Make sure to give them a try. Visit lastpass.com/smashing, and thanks to LastPass for supporting the show.
On with the show, because today I want to talk to you about the latest developments with autonomous self-driving cars.
Did you chaps know that self-driving cars are being taught not only how to drive, obviously, but also how to tackle tricky moral dilemmas?
Well, I freaking hope so.
Do you?
Yeah, well, do I hit the cat or the person?
Well, that's exactly it, because this is the scenario, okay?
Imagine this.
Imagine there are 3 people in a driverless car tinkling along, da da da, going down the road, right? And it's approaching a pedestrian crossing at some speed.
And the crossing is currently telling pedestrians not to cross, right? Shouldn't cross because there are people driving past, right? Fair enough.
However, 3 people have lurched across the road. They're not following the rules.
And the crossing is currently telling pedestrians not to cross, right? Shouldn't cross because there are people driving past, right? Fair enough.
However, 3 people have lurched across the road. They're not following the rules.
So there's 3 people in the car, there's 3 people on the roads that shouldn't be there.
Right.
Okay.
And oh, malheureusement, the car—
Is that Italian?
It's probably a Citroën or Renault they're driving. Malheureusement, the car has suffered a complete failure of its brakes. Right.
So should this driverless car swerve into a concrete barrier, killing its occupants, or mow down the 3 people on the crossing?
So should this driverless car swerve into a concrete barrier, killing its occupants, or mow down the 3 people on the crossing?
Yeah. We talked about the trolley dilemma last week.
Yeah, last week I got confused because Maria mentioned the trolley dilemma. I thought she meant shopping trolleys, but this is—
You never went to university. That's probably why.
That's— So, so what do you think? What should it do?
It's a tricky one. I would say it's surely the driver's car's got to be intuitive enough to spot a hazard. Is that right?
Yes, you spot the hazard, but the brakes aren't working.
Well, I think what it's going to do is go hazard 1, hazard 2.
Yeah.
Give me a break. It doesn't have a secondary brake mechanism.
Well, no, it doesn't. Carole, they're not going to chuck an anchor out of the back of the car. It's called the handbrake.
It's called the handbrake, Graham.
There's no time for that. There's no time for that. And you've dawdled long enough. We've already not only gone across this pedestrian crossing, but 3 others.
We need a quicker response. Are you going to swerve or hit them? Swerve or hit? Swerve or hit? Swerve or hit?
We need a quicker response. Are you going to swerve or hit them? Swerve or hit? Swerve or hit? Swerve or hit?
Swerve.
Swerve, I think, yeah.
Okay, and you've killed all of your occupants.
Yep.
Okay, tricky one, wasn't it?
No!
Moral dilemma, isn't it? Yes.
Well, maybe— is it a trickier dilemma if the car contains some beautiful little children? Right?
And on the pedestrian crossing are some old codgers, and remember, they've been told they shouldn't be crossing the road. What should happen?
And on the pedestrian crossing are some old codgers, and remember, they've been told they shouldn't be crossing the road. What should happen?
Maybe they couldn't read the signs because they were so small. That's why they're crossing, and you're going to mow them down? You're trying to make it attractive to mow them down?
No, there are kids in the car, old codgers. Yeah, so I mean, so who should die? Are you saying the kids should die? Hmm, it's a dilemma, isn't it?
Well, there is now a project which is helping work out what is considered acceptable.
It is a website called the Moral Machine, and you can go there and you can help them train cars to make these kind of decisions.
It's basically painting different scenarios and letting you decide what is the lesser of two evils?
So what if there were only two people on the crossing, or what if one of them was a kid, or are we more prepared to let old people die than young people?
I was doing this and it said, do you want to choose to save the athletic young females ahead of the podgy middle-aged security pundits?
You know, I, I must be honest with you, I went for the security pundits. I thought, yes, let's look after those tubby guys. It's, but it's not for many people an easy decision.
Well, there is now a project which is helping work out what is considered acceptable.
It is a website called the Moral Machine, and you can go there and you can help them train cars to make these kind of decisions.
It's basically painting different scenarios and letting you decide what is the lesser of two evils?
So what if there were only two people on the crossing, or what if one of them was a kid, or are we more prepared to let old people die than young people?
I was doing this and it said, do you want to choose to save the athletic young females ahead of the podgy middle-aged security pundits?
You know, I, I must be honest with you, I went for the security pundits. I thought, yes, let's look after those tubby guys. It's, but it's not for many people an easy decision.
Thanks to you, Graham.
Yes, exactly. And there's also legislation coming in.
So Germany, for instance, working on laws for autonomous self-driving cars, and they're producing ethics guidelines, and they're proposing that cars shouldn't be able to choose between people based on personal features, their age, their sex, their wealth, attractiveness.
So Germany, for instance, working on laws for autonomous self-driving cars, and they're producing ethics guidelines, and they're proposing that cars shouldn't be able to choose between people based on personal features, their age, their sex, their wealth, attractiveness.
Okay, okay, I, to be controversial here.
Yes, yes.
I am going to wager, based on some very light reading I've done, so I'm no expert in this area.
But from what I've read, driverless cars are said to be much, much safer overall than human drivers. Right?
But from what I've read, driverless cars are said to be much, much safer overall than human drivers. Right?
I think probably.
So really, the idea of these dilemmas is a little bit moot at this stage, since we're going to see a drop of maybe 50% of car-related accidents and deaths.
But there have been deaths already with driverless cars.
Sure, there's been a lot more deaths at the hands of humans behind the wheel.
I'm not doubting that, right? But at some point, a car is going to be put in this position, and it may be that the system is not working well enough to stop in time, for instance.
But it does have the potential to choose who is going to be hurt. Is it the Olympic athletes team or the lardasses lumbering over the pelican crossing?
But it does have the potential to choose who is going to be hurt. Is it the Olympic athletes team or the lardasses lumbering over the pelican crossing?
I know who I'd choose.
Who? Who?
I don't want to say. It's personal.
The athletics team, isn't it?
Personal.
You're just a bit weightist.
Right.
What about old people? Take a long time to cross the road, may not have long to live anyway. What's the point of saving them?
Yeah, just mow down Granny. Great idea, Graham. I love it.
And all right, let's make it a bit more personal, because at the moment, you seem to be finding this very easy.
What if it—
What if there were cats on the road? What about if on one side of the road—
The car should automatically explode a safe distance away from the cats.
What if there's—
On one side of the road is a dog? Oh, yes. So we have self-driving cars, driving cars with explosives built into them. Nice one.
So there's a dog on one side of the road and a cat on the other, neither of which are following the rules of the road and have not waited for the appropriate juncture to cross to the other side.
Who should the car flatten?
So there's a dog on one side of the road and a cat on the other, neither of which are following the rules of the road and have not waited for the appropriate juncture to cross to the other side.
Who should the car flatten?
Well, surely the cat.
Did the dog pee on the car at any time?
Most likely not. No, Carole, no.
Look, I think you're just being a little bit— you're setting these crazy-ass parameters where we're not allowed to choose or, you know, go outside.
So what would you rather do? Would you rather leave it to Elon Musk's random number generator to say, well, I've got two options here. I can't decide which one is right.
I'll just flick a coin.
I'll just flick a coin.
Yeah.
Would you rather that?
You know what? It probably would be fairer if it was not a moral decision. It was just a random toss of the coin.
If two people have to die in a situation, or three in your case, why shouldn't it be just random?
If two people have to die in a situation, or three in your case, why shouldn't it be just random?
It's interesting, isn't it? Because you can imagine the fallout if something like this were to happen. So if, for instance, a bunch of fat cats from the city were in a car—
What's wrong with you and the whole weight thing, anyway?
No, it's just fat. I'm just saying, if rich entrepreneurs were in the car and they ran over children in their driverless car.
Exactly.
People may think, well, that's just wrong. You know, that shouldn't have happened.
And you can imagine legal action being taken against car companies because their software, maybe it's random number generators, shouldn't have been initiated.
And you can imagine legal action being taken against car companies because their software, maybe it's random number generators, shouldn't have been initiated.
Yeah, it's going to be like, okay, okay, we weren't that random. We just said anyone over 60 didn't matter.
Right. Interesting.
You're not far off 60 anymore, Graham. You need to think about these things before you start, you know, so here's the good news for some listeners, right?
The good news is if you're a baby listening, or a little girl or a little boy—
I hope you're not listening because this is not the show for you. Go watch Peppa Pig.
Or a pregnant woman. They probably shouldn't be listening to this show either.
Oh no, they definitely should be listening.
You're more likely to be saved according to the tests being done on this website, The Moral Machine. Most people think that you should be saved.
Whether you're in the car or on the zebra crossing, they think you should have priority. But it changes from country to country.
So for instance, in the West, we typically are saving the youngsters. And in, for instance, Japan, it's like, oh no, you've got to save the old people.
Whether you're in the car or on the zebra crossing, they think you should have priority. But it changes from country to country.
So for instance, in the West, we typically are saving the youngsters. And in, for instance, Japan, it's like, oh no, you've got to save the old people.
Yeah, the elders are the key.
Right.
Yeah.
So if you want to improve your chances next time you're crossing a road, I recommend you visit the Moral Machine website right now.
Which is not HTTPS secure, so FYI.
Yeah, but you're not giving any personal information other than who you want to die.
Yeah, don't log in.
And there you can play God and decide who should live and who should die. And maybe you can help program tomorrow's self-driving cars.
And Lord help us if the hackers ever break into these car companies and fiddle with the software and we get unusual repercussions as a result.
And Lord help us if the hackers ever break into these car companies and fiddle with the software and we get unusual repercussions as a result.
You know what? But to Dan's point earlier, you have actually stretched the entire meeting of security, right? So nothing happened this year.
So you've mentioned nothing about cybersecurity in this whole piece. You basically have extended the meeting to include now physical security, which is, you know, all right.
So you've mentioned nothing about cybersecurity in this whole piece. You basically have extended the meeting to include now physical security, which is, you know, all right.
Thank you very much. Thank you very much. Well, it's episode 102. It's a new era. I'm like Jean-Luc Picard, and you are Deanna Troi, the empath.
Oh God, I am not Deanna Troi.
Beverly Crusher?
No, I want to be Data.
You'll be Data. Dan, are you Worf? I'm not sure.
Do you know my stepbrother played Worf on stage once in a production?
But did he papier-mâché his face?
No, he put some brown face paint on, which is still hilarious.
You can stick a Cornish pasty on your forehead. That's the other way of playing a Klingon.
That would have been even funnier, especially if you started sweating. Or it broke open and the gravy started leaking.
Dan, what have you got for us this week?
Okay, let's start with the question. Were either of you ever in the Scout movement?
I was in the Boys Brigade for about 45 minutes once before I quit, but that is the extent of it.
Funny, Graham, because I was in Girl Guides for about 45 minutes. Really? Yeah, not Girl Guides, Brownies. It was just so happy clappy.
It was all— ours was just too— I know I grew up a bit wild in the wilds of Canada. I had a bit of a fun life.
It was all— ours was just too— I know I grew up a bit wild in the wilds of Canada. I had a bit of a fun life.
I think we realized that.
And I just was like, oh, organized fun wasn't for me.
Yeah, wasn't my cup of tea at all.
Well, not me neither, I'll be honest. I went to Cubs, yeah, again for about 45 minutes.
Maybe there's a lot of us.
Well, there's a whole different conversation around whether the Scouts are doing anything cyber. I would be fascinated to know. Please get in touch. Or whatever.
But the reason I mention that is a story—
But the reason I mention that is a story—
So you're asking Scouts and Cubs to get in touch with you? Is that entirely sensible, Dan?
Hopefully the people behind the—
Oh, okay.
Oh, I'm going to stop before it goes too far. But the reason I mention this is a story broke on Friday afternoon. This is called ABC 30.
Authorities are investigating a data breach which affected members of the Girl Scouts of Orange County in Southern California.
According to their story, about 2,800 members may have been affected.
By a breach which saw information stolen, including names, birth dates, home addresses, insurance policy numbers, health information.
Authorities are investigating a data breach which affected members of the Girl Scouts of Orange County in Southern California.
According to their story, about 2,800 members may have been affected.
By a breach which saw information stolen, including names, birth dates, home addresses, insurance policy numbers, health information.
And so when you say 2,800 people, you mean 2,800 girls?
Yeah, well, it says here 2,800 members, so we're assuming Girl Scouts. And I did a quick search earlier on, on what the age range— it's quite broad. It's from 5 up to 18.
So there's a good side of this story because the identification found that the person who did this was only in for one day, and this was on 30th September to the 1st of October this year.
So we're literally almost exactly a month ago.
Now, if you think about how long it took some other breaches to turn around that data, I'm thinking Uber, Experian, other on-the-record breaches where we can point to things taking months and months to be disclosed.
So there's a good side of this story because the identification found that the person who did this was only in for one day, and this was on 30th September to the 1st of October this year.
So we're literally almost exactly a month ago.
Now, if you think about how long it took some other breaches to turn around that data, I'm thinking Uber, Experian, other on-the-record breaches where we can point to things taking months and months to be disclosed.
Yes.
They've done a great job there.
Yeah. So whoever stole the data was only in the system for one single day.
Mm-hmm.
And then 4 weeks later, the notification has come out. Whereas Cathay Pacific, for instance, who announced a breach last week, I think it was.
They took 6, 7 months after they discovered the breach before they made it public. It's just scandalous sometimes how long organizations take.
They took 6, 7 months after they discovered the breach before they made it public. It's just scandalous sometimes how long organizations take.
So it's an email account that wasn't a huge amount of detail on the story.
We did pick this up on InfoSecurity and does state here that an unauthorized third party gained access to the Orange County travel email account, which was used to send emails to others.
We presume phishing emails. So presumably what the bad person could have done if they had not have been removed from the system so quickly.
But what's quite interesting with this actually is that it's a travel email account. So what we're going to assume is that the people on that were in this voluntarily, shall we say.
They wanted to join this particular mailing list, probably because it's for arranging camps and stuff that and trips away.
We did pick this up on InfoSecurity and does state here that an unauthorized third party gained access to the Orange County travel email account, which was used to send emails to others.
We presume phishing emails. So presumably what the bad person could have done if they had not have been removed from the system so quickly.
But what's quite interesting with this actually is that it's a travel email account. So what we're going to assume is that the people on that were in this voluntarily, shall we say.
They wanted to join this particular mailing list, probably because it's for arranging camps and stuff that and trips away.
Right.
And while we assume no emails were sent while this person was in, what we assume is that there's someone owns this email account that hopefully is probably secured with a password that hopefully has been changed.
I'm using the word hopefully quite a lot, and I'm also pressing my hands in quite a lot of ways. But it does leave the question of how this was accessed in the first place.
Who actually goes after the Girl Scouts thinking that's a viable target? And also, if they've managed to keep hold of that information, then why?
I'm using the word hopefully quite a lot, and I'm also pressing my hands in quite a lot of ways. But it does leave the question of how this was accessed in the first place.
Who actually goes after the Girl Scouts thinking that's a viable target? And also, if they've managed to keep hold of that information, then why?
But do you think they were specifically targeting this account because it is connected to the Girl Scouts, or was it a case of simply someone trying to break into lots of email accounts?
They got lucky with this one because maybe it didn't have two-factor authentication, maybe it didn't have additional security in place, and they happened to come across a mailing list and the details of all of these Girl Scouts?
They got lucky with this one because maybe it didn't have two-factor authentication, maybe it didn't have additional security in place, and they happened to come across a mailing list and the details of all of these Girl Scouts?
Well, you know, we know that people will try and access email accounts, for example, when they get a dump from, let's pick a big one like LinkedIn, for example, passwords, email addresses.
I know of people, thankfully no one on this podcast or probably listening to this podcast, who use the same password email combos for lots of social media accounts.
But in this case here, that's possibly what's happened.
Someone's used that from access data they've managed to get, they get into this person, whoever is the administrator for the Girl Scouts of Orange County, get a database of 2,800 people, age 5 to 18 potentially.
It's got a lot of potential bad things could happen from this.
I know of people, thankfully no one on this podcast or probably listening to this podcast, who use the same password email combos for lots of social media accounts.
But in this case here, that's possibly what's happened.
Someone's used that from access data they've managed to get, they get into this person, whoever is the administrator for the Girl Scouts of Orange County, get a database of 2,800 people, age 5 to 18 potentially.
It's got a lot of potential bad things could happen from this.
So what we're hoping now, I guess, is for the 2,800 girls who've been affected or account holders to get some quick education on changing passwords immediately.
And making sure that you haven't repeatedly used their password in different places many people do.
And making sure that you haven't repeatedly used their password in different places many people do.
Yeah, according to Catalin Campanu from ZDNet, who tweeted the statement, said the third party used this email account to send emails to others.
So someone who actually got this— and what I'm going to use is scrud. Those who get the reference about scrud and Girl Scouts will get that. I don't, I don't, you don't get it?
So someone who actually got this— and what I'm going to use is scrud. Those who get the reference about scrud and Girl Scouts will get that. I don't, I don't, you don't get it?
Don't worry, Carole, I'm Googling. Is that safe? Not sure after last week.
It's a scrudge.
As long as it's my network.
Something about Friends has come up.
There you go. Come on, the episode where Ross becomes a brownie and has to sell Girl Scout cookies.
Is it Series 4?
What season?
Season 4 is the best.
Oh, Season 4?
I don't know. They're on Comedy Central all the time. I don't know what episode's which.
We had a good friend who really, really, really rated Season 4 of Friends.
Really?
So anyway, the other thing that's quite interesting about at this time, just before Halloween or just after Halloween when this goes out, is this is about the time when Girl Scouts are selling cookies.
Now, obviously that doesn't really happen here in the UK, but Carole, you're probably aware of this in Canada. I've got family live in Toronto as well, and I've tasted them.
They're damn good, actually.
So anyway, the other thing that's quite interesting about at this time, just before Halloween or just after Halloween when this goes out, is this is about the time when Girl Scouts are selling cookies.
Now, obviously that doesn't really happen here in the UK, but Carole, you're probably aware of this in Canada. I've got family live in Toronto as well, and I've tasted them.
They're damn good, actually.
Yeah, there's some of them. Yeah, it depends on which ones you get, but some of them are delish.
What, the Girl Scouts are selling cookies?
Yeah, it's Girl Scout, or I think the Cubs do it too. I think they all do it, but they sell cookies around the neighborhood. You make a bit of cash, support your club.
It's community driven.
It's community driven.
Oh, so actually there may be a good financial incentive to phish a Girl Scout or a Cub at this sort of— Are they raking in the big cash?
No, I don't think they walk around. Maybe they're walking around with the contactless transfer machines, right? But I doubt it.
Recipes, Carole? They could have recipes for the cookies if you were a rival Girl Scout.
The Girl Scouts of Orange County, of OC, they sound like they could be a bit bitchy, don't they? No, I've seen the OC TV show. They're all going around in their Lamborghinis.
They've all got beautiful hair. They're all— it's a bit like Mean Girls.
The Girl Scouts of Orange County, of OC, they sound like they could be a bit bitchy, don't they? No, I've seen the OC TV show. They're all going around in their Lamborghinis.
They've all got beautiful hair. They're all— it's a bit like Mean Girls.
It might be a bit posh land, you mean?
A bit, yeah, I think they've got a bit of money.
90210?
Yeah, exactly, exactly.
Okay, okay.
But I actually did a bit of searching on Girl Scout cookies because this was just—
Which is the favourite? What's the favourite?
I was just learning, I wanted to learn a bit more about this. And according to a blog post from SAS Learning Post, 65 to 75% of the $4 box. Now this was from last year, 2017.
Of the $4 cost of the box, $3 actually goes back to the Girl Scouts. Only the dollar goes to whoever makes these.
So it's a big earning time for the girls and for their troops, whatever you want to call them. And it only takes one nefarious scrub to fish them about this.
And someone unsuspecting could fall for this. That maybe that's what's happened.
We don't know, but someone's got access and it's a bit of a difficult time for the Girl Scouts of Orange County.
Of the $4 cost of the box, $3 actually goes back to the Girl Scouts. Only the dollar goes to whoever makes these.
So it's a big earning time for the girls and for their troops, whatever you want to call them. And it only takes one nefarious scrub to fish them about this.
And someone unsuspecting could fall for this. That maybe that's what's happened.
We don't know, but someone's got access and it's a bit of a difficult time for the Girl Scouts of Orange County.
According to Thrillist, the best Girl Scout cookie is the Tagalong, or peanut butter patty.
It's not just the best Girl Scout cookie, it might be the best cookie ever made, says Thrillist.
It's not just the best Girl Scout cookie, it might be the best cookie ever made, says Thrillist.
Don't mention peanut butter.
Let us know on Twitter if you agree with that.
I am going to click the reject cookies button. I'm telling you that if it's got peanut butter in it, I'm not having any of that.
Oh, you love peanut butter. You just think you don't.
Don't be ridiculous. Paul, what's your story for us?
So, years ago, I joined a company, and there was this laddish sales dude. I'm going to call him Duane.
One evening, Duane sends a sensitive email around to a group of recipients rather than just to his mate. And the email group included his boss and other senior players.
Now, the contents of Duane's email did not break any privacy rules, but they did ruffle quite a few feathers.
You see, the email was a picture of a woman and an animal frolicking in the way that should be reserved for special adult recesses of the internet. Not—
One evening, Duane sends a sensitive email around to a group of recipients rather than just to his mate. And the email group included his boss and other senior players.
Now, the contents of Duane's email did not break any privacy rules, but they did ruffle quite a few feathers.
You see, the email was a picture of a woman and an animal frolicking in the way that should be reserved for special adult recesses of the internet. Not—
What sort of animal? Like an emotional peacock? What sort of thing are we talking about?
A horse.
Oh, no, no. Yeah. Okay. Well, I wish I—
You know this person.
Dwayne? I don't know anybody called Dwayne.
No, I've given him a pseudonym.
Okay. All right.
I'm just saying, you know this person.
Will you whisper it? No, I'll tell you after the show. Okay.
Okay, I'll tell you. No, I can't. We have a guest. Okay.
Yeah.
Could you mime it for me?
Podcast gold.
So you understand what I'm saying, right? A picture that really, really doesn't belong.
Sounds foul. Something completely and utterly gross.
Catherine the Great.
Yeah, thank you.
So the only reason I even found out about this whole thing was I was working late and this guy Dwayne comes running up to the head of IT who sat nearby and he was freaking out begging for the email to be recalled.
And the IT guy saved his bacon and Dwayne was never reprimanded.
And the IT guy saved his bacon and Dwayne was never reprimanded.
Really?
Yeah, no, 'cause no one ever knew. But I'm sure he learned his lesson, right?
And now it's been broadcast on a podcast.
Well, yep, if you're out there, Dwayne. When I was researching the story, I couldn't help but wonder if this next employee learned his lesson the same way that Dwayne had.
His name is redacted from the inspector report I'm going to share with you. So we need a name to refer to him as, or her.
It's an employee, but I'm definitely pretty 100% sure it's a guy.
His name is redacted from the inspector report I'm going to share with you. So we need a name to refer to him as, or her.
It's an employee, but I'm definitely pretty 100% sure it's a guy.
David Dennison or something like that. Okay.
So Dave worked at the US Geological Survey. Now, I didn't know anything about this, but the US Geological Survey, or USGS, has been around for 125 years.
It was formed in 1879 by an act of Congress, and it's the nation's largest water, earth, biological science, and civilian mapping agency, and it employs 10,000 scientists in 400 locations.
So 10,000. So a big outfit, right?
It was formed in 1879 by an act of Congress, and it's the nation's largest water, earth, biological science, and civilian mapping agency, and it employs 10,000 scientists in 400 locations.
So 10,000. So a big outfit, right?
What are they doing? What are they doing?
They're researching the earth, researching water, coming up with ideas on how we can clean up the mess that we've all created.
Is that really necessary? I mean, you know, Earth and things and geology, doesn't it stay fairly static? Isn't that fairly easy to say there's a hill over there?
How much more research doesn't need to be done?
How much more research doesn't need to be done?
Anyway, you digress.
I do.
Now, during an IT security audit, the inspectors noticed some suspicious network activity on the USGS.
Okay, that's the word I'm going to say from now on when I say US Geological Survey place. On the USGS systems in Sioux Falls in South Dakota.
So the inspectors investigate, and they trace it back to a single computer, which they found to be infected with malware.
And it turns out that Dave Dennison was rather a big fan of the not-safe-for-work sites while at work.
And in fact, Dave visited over 9,000 fruity pages, many of them of Russian origin and many of them containing malware.
Okay, that's the word I'm going to say from now on when I say US Geological Survey place. On the USGS systems in Sioux Falls in South Dakota.
So the inspectors investigate, and they trace it back to a single computer, which they found to be infected with malware.
And it turns out that Dave Dennison was rather a big fan of the not-safe-for-work sites while at work.
And in fact, Dave visited over 9,000 fruity pages, many of them of Russian origin and many of them containing malware.
So what is the relevance of many of them of Russian origin? Why have they put that in the report?
It's, oh, you thought it was fruity porn, but this is Russian porn, which comes in from the cold.
It's, oh, you thought it was fruity porn, but this is Russian porn, which comes in from the cold.
Okay, maybe I've worded myself badly. What I'm trying to say is that the origins of the actual sites that are holding this porn are of Russian origin.
Girls wearing fur hats.
Catalina.
She's got her balalaikas out.
Yeah, she's on a horse. Okay.
But the important thing is that these 9,000 porn pages, some of them had malware on them.
Exactly. Right. Now, on top of that, Dave was also found to have saved a glut of this porn to his personal USB drive and Android smartphone.
How boring must it be to be a scientist at the US Geological Survey, right? Looking at hills, wondering if the hill is going to change in some fashion.
I'm going to quote the report here. So we found that X knowingly used US government computer systems to access unauthorized internet web pages.
We also found that those unauthorized web pages hosted malware. The malware was downloaded to X's government laptop, which then exploited the USGS network.
Our digital forensic examination revealed that X had an extensive history of visiting adult pornography sites.
9,000 web pages visited, routed through websites that originated in Russia and contained malware. So that's where that comes from.
We also found that those unauthorized web pages hosted malware. The malware was downloaded to X's government laptop, which then exploited the USGS network.
Our digital forensic examination revealed that X had an extensive history of visiting adult pornography sites.
9,000 web pages visited, routed through websites that originated in Russia and contained malware. So that's where that comes from.
If he's been to 9,000 web pages, right?
Well, how could he not find what he wanted in the first 20?
What's he doing at work? Looking at hills and valleys.
How long would you— when?
Has he not found a favorite?
How long would you spend on one web page?
Oh yeah, I don't know what to say, but even if it was a pathetically short amount of time, it would take years, wouldn't it, to do this and to do all your very important job being a geological scientist.
Oh yeah, I don't know what to say, but even if it was a pathetically short amount of time, it would take years, wouldn't it, to do this and to do all your very important job being a geological scientist.
Like, it's crazy. It's crazy. I can't even— I can't— I don't even have words. I should state that the USGS have an annual security audit, right, which includes staff training.
So Dave Dennison attended and agreed to the rules of conduct and admitted as doing so during this investigation.
Rules also state no illegal or inappropriate activities on our systems, employees, right? So it's telling them not to do that.
And obviously, I don't know if— I don't know if Dave doesn't sign to that, but he was aware and he admitted that much.
So Dave Dennison attended and agreed to the rules of conduct and admitted as doing so during this investigation.
Rules also state no illegal or inappropriate activities on our systems, employees, right? So it's telling them not to do that.
And obviously, I don't know if— I don't know if Dave doesn't sign to that, but he was aware and he admitted that much.
9,000.
Yeah.
I'm sorry, I just keep— so did they have no web filtering in place? Did they have nothing?
Exactly. So obviously, the inspectors gave some advice. And one of the big things was, could you maybe disable the USB ports? That's one.
Right.
Restrict the use of removable media. You don't want people plugging in their dirty iPhones into your network necessarily. And the other one was web filtering.
So maybe use a blacklist to prevent employees from accessing known dangerous sites.
So maybe use a blacklist to prevent employees from accessing known dangerous sites.
Sorry, here's a question. Do we know the timeframe these were accessed in? Was it a year or was it 125 years? Now that's a question because I could visit 9,000 websites in a year.
Obviously they're all—
Obviously they're all—
Of porn?
No, no, I have done just during this recording. I've got more than one window open if I get a bit bored.
But yeah, I could probably do it in a year, 9,000 pages. But if it's the case of a decade, you think that's probably I haven't got a great math brain. I'm great.
About average, right?
I'll give you general websites here.
That's a really good question. So I'm just looking now.
I don't think they give that, but I've also found the Office of Inspector General, US Department of the Interior's report on this. Little light in the loafers.
I don't know what the malware was that they found.
I don't think they give that, but I've also found the Office of Inspector General, US Department of the Interior's report on this. Little light in the loafers.
I don't know what the malware was that they found.
Right.
There's, you know, there's a few kind of hard-hitting facts that seem to be missing from my point of view. How long did this go on? What are the dates that this happened?
So the whole report is dated 17th of October 2018, but how long have they been researching or doing the investigation? I don't know.
So do you think, boys, that this is the first time that this has ever happened in a government office?
So the whole report is dated 17th of October 2018, but how long have they been researching or doing the investigation? I don't know.
So do you think, boys, that this is the first time that this has ever happened in a government office?
Absolutely, absolutely, yes. This is the first time, and that's why you've brought it to our attention.
And it serves as a warning for all government workers, whether they be politicians or civil servants, not to go to any website, and thankfully they don't.
Thankfully they never would.
And it serves as a warning for all government workers, whether they be politicians or civil servants, not to go to any website, and thankfully they don't.
Thankfully they never would.
I'm sorry, but you're wrong.
Even last year, 2017, a Washington TV station called News 4 reported that around 100 federal government employees admitted to viewing copious amounts of pornography while on the job.
Even last year, 2017, a Washington TV station called News 4 reported that around 100 federal government employees admitted to viewing copious amounts of pornography while on the job.
While on the job?
On the job. Oh God. Oh no, I just repeated it. Does it not beggar belief that people would be watching porn for hours on end in a government job?
At work?
Yes!
What do you do with your stiffy after you're watching the fleshy content?
Oh, please.
What do you do?
A 3.5-inch floppy disk.
Is that why guys are at the desk, you know, when you call them for a meeting, they're like, "I'll be there in a minute." Is that what that comes from? Just need to calm down.
Doesn't take a minute, girl. Not if you've been practicing.
What do they do with the sound? Is the sound turned off?
Well, I imagine—
Do they all have headphones on?
Surely one of the first things is to stop giving these people their own office. Right? If you're open plan, I imagine—
I mean, you have little earbuds and you pretend you're bopping to Best of ABBA.
You can't be looking at stuff on a monitor if you're open plan, and any point Marjorie the tea lady might be coming past, so you don't do it, do you?
But if you're snuck away in a little corner office, then maybe you do.
But if you're snuck away in a little corner office, then maybe you do.
Yeah, in any case, the lesson here is don't do a Dirty Dwayne, right?
Assume that eyes are on you, because that's the thing I don't think people really realize, how monitored computers are.
So the advice that came back from the inspectors for these guys were, you know, disable ports, use a web blacklist, but also regularly monitor employees' usage history.
Look at those logs.
So, you know, to be clear, from a user perspective, if you're on a company computer but you're accessing your personal email, it doesn't mean they can't see it just because it's your personal email.
They could have all kinds of little web loggers on and event loggers to kind of see how long you're on that, what site you went to. You can even have keyloggers.
Assume that eyes are on you, because that's the thing I don't think people really realize, how monitored computers are.
So the advice that came back from the inspectors for these guys were, you know, disable ports, use a web blacklist, but also regularly monitor employees' usage history.
Look at those logs.
So, you know, to be clear, from a user perspective, if you're on a company computer but you're accessing your personal email, it doesn't mean they can't see it just because it's your personal email.
They could have all kinds of little web loggers on and event loggers to kind of see how long you're on that, what site you went to. You can even have keyloggers.
You would kind of expect if someone was doing something like this, and if they were quite enjoying themselves, you would kind of think they would probably do it on their own mobile phone or something, wouldn't they, rather than on a—
Well, what if you're connected to the Wi-Fi? Again, people will connect to the Wi-Fi and go, I have no idea how they knew. It's because you're on their Wi-Fi.
So I just think if you're that way inclined, A, don't work at the government. What are you doing? That's crazy. And two, don't connect. Don't do it on their systems.
Don't do it on the network. Don't do it on their devices and don't do it on their Wi-Fi. Don't do anything that you wouldn't want your boss, IT, or HR to know.
So I just think if you're that way inclined, A, don't work at the government. What are you doing? That's crazy. And two, don't connect. Don't do it on their systems.
Don't do it on the network. Don't do it on their devices and don't do it on their Wi-Fi. Don't do anything that you wouldn't want your boss, IT, or HR to know.
That's always a good policy. Do what you like at home. Don't do anything that— well—
Were you going to say, don't do anything you wouldn't want your mother to know?
Yeah, almost. Yeah. But no, it always strikes me, I've worked in lots of companies with different varying IT policies.
I mean, when I worked with 451 Research, I was able to download Spotify and other places I've worked in, I've not been able to even have access to a gambling website.
Not that I gamble very much, but it just goes to prove that, you know, different companies have different policies for use of the internet.
But I think it just comes down to a bit of common sense about actually what am I here for? Oh, you're here to work and look at hills and mountains and stuff.
Not to look at the other types of hills.
I mean, when I worked with 451 Research, I was able to download Spotify and other places I've worked in, I've not been able to even have access to a gambling website.
Not that I gamble very much, but it just goes to prove that, you know, different companies have different policies for use of the internet.
But I think it just comes down to a bit of common sense about actually what am I here for? Oh, you're here to work and look at hills and mountains and stuff.
Not to look at the other types of hills.
And I know, okay, but come on, come on. So the guy, obviously this guy was really bored or had a, or had an issue, had a little addiction problem there with the whole—
Do you think, do you think Carole had a little bit of an addiction from 9,000?
Yeah, 9,000 web pages visited by Dwayne for an unknown amount of time.
Dwayne him.
Is that why you like podcasts so much?
What?
So you can do a Dwayne?
I think you'd hear the table being thumped. Oh, God, no, no, no, let's not do this. Many of us have worked in big companies, right?
And we know that it only takes one person to make a boo-boo to allow the hackers in.
Imagine running a company, hiring new staff, and worrying that one of them might bring their bad password habits into the office. It's horrendous! Nightmare!
That's one of the reasons why businesses small and large need a password management solution like LastPass Enterprise.
LastPass brings a vast array of features for enterprise users, including company-wide policies, reporting, user groups and roles, and new support for Microsoft Active Directory.
As an administrator, you can create highly secure passwords for your new starters right from the onset. It means no snafus.
Listeners can check it out for themselves by visiting lastpass.com/smashing. No more password snafus, no more boo-boos, just LastPass.
And welcome back, and you join us at our favourite time of the show, the part of the show that we like to call Pick of the Week.
And we know that it only takes one person to make a boo-boo to allow the hackers in.
Imagine running a company, hiring new staff, and worrying that one of them might bring their bad password habits into the office. It's horrendous! Nightmare!
That's one of the reasons why businesses small and large need a password management solution like LastPass Enterprise.
LastPass brings a vast array of features for enterprise users, including company-wide policies, reporting, user groups and roles, and new support for Microsoft Active Directory.
As an administrator, you can create highly secure passwords for your new starters right from the onset. It means no snafus.
Listeners can check it out for themselves by visiting lastpass.com/smashing. No more password snafus, no more boo-boos, just LastPass.
And welcome back, and you join us at our favourite time of the show, the part of the show that we like to call Pick of the Week.
Pick of the Week.
Pick of the Week.
Ah, he listens. That's the test. Actually, we can explain the test.
Sometimes, Dan, we have guests on the show, don't we, Carole?
Well, he'll know this because he's heard them.
Yeah. And they don't appear to realise that they have to say Pick of the Week when the music happens.
Well, back when you did your 100th episode and you said, can you put in your favourite bits with a timestamp?
I really should have put in when it was John Leyden who forgot to say it and he just, what? Oh, Pick of the Week.
I really should have put in when it was John Leyden who forgot to say it and he just, what? Oh, Pick of the Week.
Yes.
So download that one again. It's really almost making me laugh out loud, actually. But yeah.
Anyway, pick of the week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they like. Doesn't have to be security related necessarily.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they like. Doesn't have to be security related necessarily.
Just like your main story shouldn't be, right? We're in a new era now.
Now my pick of the week this week is a website. It's a very quick and simple pick of the week. It's called 10yearsago.io.
Oh, cute.
Okay.
And this is a website which will show you a snapshot of what some of your favourite internet web pages— not the ones visited by geologists in America— some of your other favourite web pages looked like exactly 10 years ago today.
So you can go and check out Reddit, or you can go and check out CNN or Amazon. And it's kind of cute.
And this is a website which will show you a snapshot of what some of your favourite internet web pages— not the ones visited by geologists in America— some of your other favourite web pages looked like exactly 10 years ago today.
So you can go and check out Reddit, or you can go and check out CNN or Amazon. And it's kind of cute.
I'm on the web page right now. Can you check out any website?
No, no.
Only one of these 16 they offer.
If you want to explore further, this is all being powered by the Internet Wayback Machine.
You can go and visit the Wayback Machine and you can go and look up your favorite website there.
And if you're lucky, they will have grabbed a snapshot of your favorite page 10 years or so ago. But this is more precise to the day.
And this was recommended to me by a listener, one of our listeners in Brazil. Fabio, and I apologize for saying your surname incorrectly, almost certainly, Fabio Loznak.
And he told me go and check it out. And I thought that's cute because sometimes I get a little bit nostalgic, Carole.
You can go and visit the Wayback Machine and you can go and look up your favorite website there.
And if you're lucky, they will have grabbed a snapshot of your favorite page 10 years or so ago. But this is more precise to the day.
And this was recommended to me by a listener, one of our listeners in Brazil. Fabio, and I apologize for saying your surname incorrectly, almost certainly, Fabio Loznak.
And he told me go and check it out. And I thought that's cute because sometimes I get a little bit nostalgic, Carole.
No, I agree.
I love— I'm thinking maybe your pick of the week, really, sorry Fabio, should have been Wayback Machine because I don't know if people know how wonderful Wayback Machine is.
Remember, you'd be sitting there sometimes and trying to remember an exact article on a webpage, and of course the page no longer exists on their new, you know, revamped website.
And you can go to Wayback Machine and find that exact article and page. It's so awesome.
I love— I'm thinking maybe your pick of the week, really, sorry Fabio, should have been Wayback Machine because I don't know if people know how wonderful Wayback Machine is.
Remember, you'd be sitting there sometimes and trying to remember an exact article on a webpage, and of course the page no longer exists on their new, you know, revamped website.
And you can go to Wayback Machine and find that exact article and page. It's so awesome.
This is great, Carole. Yeah, just usurp my pick of the week with your superior.
I didn't usurp, I just added some gravy.
No, you've come in and you've come in and you've said, that's all very well, Graham, but there's actually a better version of this. And you're right. That's why I'm annoyed.
So I would now like to retract my pick of the week. And let's—
So I would now like to retract my pick of the week. And let's—
Sorry, Fabio.
I'm sorry, Fabio. Ransomware.
Fabio's gone through— their country is going through hell right now.
So he might be very happy. We don't know his politics. Well, anyway, after my disastrous pick of the week, I'm going to ask Dan, what's your pick of the week?
Yeah, I was actually going to pick up Infosecurity magazine on Wayback Machine, but I was listening. My pick of the week is a podcast. This is something I—
Whoa, whoa, whoa.
This better be— you better be thinking really carefully right now.
I think I know what his favorite podcast is, Carole Theriault. This is going to be slightly embarrassing, but I think— yeah, go ahead with it, Dan. We're ready. We're ready.
It's called 9,000 Pages. It's the story of— no, it's— this is— I don't know where I first heard about this, but it's a podcast called Dead Rock Stars. And I loved this podcast.
There's 23 episodes. They've just finished the first series. And it basically involves two music, mainly rock metal journalists called Mick Wall and Joel McIver.
And they basically just talk about dead rock stars. Each episode's about one particular one. So the first one was on Lemmy. They did one on Lou Reed. They did one on Marc Bowdoin.
They did one on Jimi Hendrix.
There's 23 episodes. They've just finished the first series. And it basically involves two music, mainly rock metal journalists called Mick Wall and Joel McIver.
And they basically just talk about dead rock stars. Each episode's about one particular one. So the first one was on Lemmy. They did one on Lou Reed. They did one on Marc Bowdoin.
They did one on Jimi Hendrix.
What do they just go in and go, "Hey, Jimi Hendrix, he died." That's the end of the episode.
I think the episodes last about an hour.
Yeah. So heck of a conversation.
Talk really slowly.
But a lot of them have interviewed these people. They've worked with them. They tell stories about what they were like and they discuss their legacy.
I put another friend of a, maybe a friend of the show, Rik Ferguson, onto this. I said, Rik, you've got to listen to this podcast. It's really, really fun.
And I know it's very simple. It's just two journalists sitting around. They've got a real thing for eating pork pies. So they eat pork pies and talk about rock legends.
I put another friend of a, maybe a friend of the show, Rik Ferguson, onto this. I said, Rik, you've got to listen to this podcast. It's really, really fun.
And I know it's very simple. It's just two journalists sitting around. They've got a real thing for eating pork pies. So they eat pork pies and talk about rock legends.
Graham, Graham, no, we cannot, we cannot bring that on our show.
Okay, Graham, no, no, no eating during the show.
No.
But anyway, I really liked it. It was, it's just finished the first series and yeah, that's why it's my pick of the week.
That's a very good pick of the week.
It would be a shame if a lot of famous rock stars had to die so that they could then do a third series of this, wouldn't it?
Isn't it?
Second or third series? Second series.
Yeah.
Second series.
They've done one series. Yeah.
They've only got 23 down. A lot of rock stars have died.
They'll have people like, oh, I'm trying to think. Do you remember all those rock stars who died when they were 27? Like Jim Morrison.
Mm-hmm.
And Hendrix, of course. Janis Joplin. Didn't Amy Winehouse, I know she's not really rock, but Kurt Cobain.
Kurt Cobain was another one. Yeah.
Prince.
I don't think he was 27.
I don't think he was 27.
Do you know a story about the 27 Club?
Are you just naming dead people now to try and join in the conversation?
Yes, I tuned out for 30 seconds, then I was thinking of George Michael.
He's not 27 either. I'll tell you a quick story about the 27 Club, actually.
Jack White from the White Stripes, and then later in his solo career, he was in a car crash when he was 27. He was thinking, oh no, not me too. And he survived it, obviously.
But yeah, that's a true story.
Jack White from the White Stripes, and then later in his solo career, he was in a car crash when he was 27. He was thinking, oh no, not me too. And he survived it, obviously.
But yeah, that's a true story.
I don't know about this 27 Club. I don't know anything.
Oh, come on, Carole. For real, for real. Basically, lots of people choked on their own vomit or shot themselves when they were 27 years old. Famous.
What about, what was his name? Buddy Holly. He died in a plane crash.
He did. He was the Big Bopper.
He was like 22. I think he was really young.
Yeah, he was young, young, wasn't he? Okay, so he's not part of the club either.
I don't know why there's such an obsession about 27, but obviously someone just connected the dots and therefore conspiracy.
You know, Graham, pretty soon you'll be able to go half my age is 27.
Would you stop releasing personal information regarding my age?
Die twice. Hey, I've done two entries.
Carole, you've already had a pick of the week this week, so I'm not sure if we should give you a go. No, I've got a really good one. Okay, okay, okay. Go on then.
Okay, the world's a bit crazy right now, in my view, and it seems to me that more of us good people should do good things more often, right?
And this is the lazy good person's way to feed the hungry and improve knowledge. Let me introduce you to freerice.com. Okay, go look, go look, go look, go.
And this is the lazy good person's way to feed the hungry and improve knowledge. Let me introduce you to freerice.com. Okay, go look, go look, go look, go.
freerice.com.
This is free rice.
Freeing Tim Rice from imprisonment if he's been done for tax fraud or something like that, right? This is something else. FreeRice.com. Okay, I'm here.
Okay, so this is a United Nations World Food Programme, and it combines education with fighting hunger.
Get a wide range of subjects to test your knowledge, from maths, humanities, science, or even SAT prep.
And for each correct answer, Free Rice donates 10 grains of rice to someone who needs it.
Get a wide range of subjects to test your knowledge, from maths, humanities, science, or even SAT prep.
And for each correct answer, Free Rice donates 10 grains of rice to someone who needs it.
So what, it has an online game? And if you—
Yeah, there's a number of different games, and you can go and take one. And it starts easy, and it gets harder and harder.
And you collect rice in a bowl, and then that rice is donated across. Now they're working on the site.
They're planning to revamp it because, Graham, you'll notice it's not— I don't think it's HTTPS either.
And it's interesting because I was talking to my brother, my very cynical brother, before the show.
And you collect rice in a bowl, and then that rice is donated across. Now they're working on the site.
They're planning to revamp it because, Graham, you'll notice it's not— I don't think it's HTTPS either.
And it's interesting because I was talking to my brother, my very cynical brother, before the show.
As opposed to the other brother.
He's also extremely cynical. And my brother's reaction was very different from mine. He just paused and he said, so they hold hungry people hostage until you learn something.
Is that right?
Is that right?
That's what he said. We'd love to give you this rice, but unfortunately Carole hasn't answered this question on a webpage.
She's too stupid, so all you get is these 10 grains.
And there's a guy at the US Geological Service who hasn't visited the free rice website, but he's working his way through.
He's very busy.
He's very busy working his way through 9,000 other webpages first.
He's got a hand cramp at the moment, but he'll be back.
Oh goodness. So you answer— so I've got a question right here. So I've got the question which says, this vocabulary. It says forest means boat, cab, raisin, or woods.
Right, are you having trouble there?
I think I click on woods, right? So I'm going to click on that.
Yeah.
And it says correct. Okay, so what have I done now? I've just donated 10 grains of rice.
Yes.
But why is it doing this? Why? Is it crypto mining in the background or something? Why are they— well, why do they want me to be on this site doing this? This isn't useful, is it?
Well, I think it's actually a win-win. I think the way I looked at it was hey, help educate the world with real facts.
Right now you're in the vocabulary section, but you could be in the math. That would be useful, right, Graham? The whole percentages thing. We can work on that together.
And you'd be feeding someone at the same time. So you don't feel you're being too indulgent, just spending time learning. You're actually doing something good for the world.
Right now you're in the vocabulary section, but you could be in the math. That would be useful, right, Graham? The whole percentages thing. We can work on that together.
And you'd be feeding someone at the same time. So you don't feel you're being too indulgent, just spending time learning. You're actually doing something good for the world.
Now I've just seen— so I was feeling a little bit cynical and thinking, how do they make money to pay for this rice?
And I've got a little thing on the screen here which says, you may have an ad blocker or software enabled that is preventing us from displaying the sponsored ads that are paying for the great grains of rice that you are earning.
And so they're encouraging me to disable my ad blocker, which I'm not really wanting to do. But that's okay. So that's how they're making their money then. Okay.
As long as it's not crypto mining or anything unpleasant that.
And I've got a little thing on the screen here which says, you may have an ad blocker or software enabled that is preventing us from displaying the sponsored ads that are paying for the great grains of rice that you are earning.
And so they're encouraging me to disable my ad blocker, which I'm not really wanting to do. But that's okay. So that's how they're making their money then. Okay.
As long as it's not crypto mining or anything unpleasant that.
It's also the UN, right? They do get funding from a number of different countries around the world for exactly this purpose. In fact, I have a friend who works at the UN.
I'm going to ask them about it and I'll report back to the show.
I'm going to ask them about it and I'll report back to the show.
Whoa, hang on a minute. I'm on the about page and it says it's not the UN.
Oh, really?
They say they are a 100% nonprofit website that is owned by— oh, and supports the UN World Food— so is owned by the—
Don't think I don't do my research, Graham Cluley. I do my research.
It's a little embarrassing. I thought they were just saying that they were supporting them. Okay, I misread it. Oh dear.
It's good. I'm enjoying it.
Okay, so Free Rice, check it out. It's fun. It's good. And hey, if you're bored for 5 minutes, go give someone an appetizer of rice.
You've got some choices.
Well, I'm not gonna say I've been bored for the last 5 minutes, but I'm up 280 grains while you two have been talking. You see?
You see? You've just given someone a meal.
I'm lost though. Heighten means refrigerate, discontinue, nauseate, or intensify. I don't get that.
Intensify.
Intensify. Yes.
Intensify. Do you think it's intensify? Can we get to 300 while we're live? Rejuvenate, restore.
Calls himself a journalist.
300 grains I'm giving out there. There we go.
On that bombshell, we've just about wrapped it up for this week. Dan, if anyone wants to follow you on the socials, where is the best place to do that?
Yeah, just my name on Twitter, @DanRaywood. And yeah, just Google my name, I should come up pretty high.
He's that old, people.
Yeah, just got my yells in early. Yeah.
You can also follow the podcast on Twitter @SmashingSecurity, no G. Twitter wouldn't allow us to have a G.
And if you do that, occasionally we tweet out special coupons for our online stores so you can grab a mug, a t-shirt, or a sticker. Get those at smashingsecurity.com/store.
We don't get any money out of that. We just do it because we love you.
And if you do that, occasionally we tweet out special coupons for our online stores so you can grab a mug, a t-shirt, or a sticker. Get those at smashingsecurity.com/store.
We don't get any money out of that. We just do it because we love you.
We love you.
Thanks for tuning in. If you like the show, rate it on Apple Podcasts. It helps new listeners discover the show.
It helps so much. It helps so, so much. So please do.
So until next time, cheerio, bye-bye. Bye.
Bye-bye.
How was it for you, Dan?
I couldn't get a word in half the time.
Sorry.
I know it's your show, but I don't know if you want to cut out my various stumblings in, but it was good. It was— what you missed about 20 minutes in was my PC tried to reboot.
Yeah, reboot came up. I'm like, oh, not now. I just deleted it. I just said, "No, come back in an hour." Who needs a security update, right? Yeah, damn right. I've got a VPN running.
Are we not recording still?
Yeah, reboot came up. I'm like, oh, not now. I just deleted it. I just said, "No, come back in an hour." Who needs a security update, right? Yeah, damn right. I've got a VPN running.
Are we not recording still?
Yeah, we are actually.
Outrageous.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
Dan Raywood – @DanRaywood
Show notes:
- Self-Driving Cars: The Ethical Dilemma — YouTube.
- Moral Machine — A platform for gathering a human perspective on moral decisions made by machine intelligence, such as self-driving cars.
- Moral Machine – Human Perspectives on Machine Ethics — YouTube.
- Girl Scouts' personal information affected by recent data breach — ABC30.
- Girl Scouts Alerted to Possible Data Breach — Infosecurity Magazine.
- Where does Girl Scout cookie money go? — SAS Learning Post.
- "You're a Big Scrud" — YouTube.
- USGS IT Security vulnerabilities (PDF) — Office of Inspector General management advisory.
- Porn-Watching Employee Infected Government Networks With Russian Malware, IG Says — NextGov.
- 100 Feds Found to Be Frequent Workplace Porn-Watchers — Government Executive.
- Ten Years Ago — See what the internet was doing…
- The Wayback Machine
- Dead Rock Stars podcast
- Free Rice
- World Food Programme
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
- Support us on Patreon!
Sponsor: LastPass
LastPass Enterprise makes password security effortless for your organization.
LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.
Follow the show:
Follow the show on Bluesky at @smashingsecurity.com, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
You know Graham the description is extremely enticing. It's so enticing that even with all that's going on in my life at the time (you don't even want to know…) I'm very tempted to play it. As an aside though Firefox has a warning on the apple.com link of the 10 years ago site. That itself is a very interesting thing. If I think about it I remember these things and more (at least of the sites I visited – and other things unrelated to the web) but it's amazing how much changed! I'm a very different person in fact and that's a huge reason I've not been around (but for good things: mostly good that is). Of course when it comes to technology things change at a far faster rate than 10 years. As for the warning it says for apple.com:
—
Deceptive site ahead
Firefox blocked this page because it may trick you into doing something dangerous like installing software or revealing personal information like passwords or credit cards.
tenyearsago.io has been reported as a deceptive site. You can report a detection problem or ignore the risk and go to this unsafe site.
Learn more about deceptive sites and phishing at www.antiphishing.org. Learn more about Firefox’s Phishing and Malware Protection at support.mozilla.org.
—
The other one I tried – bbc.co.uk – had no issue though. I must say I'm very intrigued about what your thoughts are on about driverless cars and the irony in your question is both amusing and scary (because the idea of driverless cars is scary to say the least). Perhaps it was intended that way; knowing you it probably was but I'll have to listen. The idea of who deserves to die in a driverless car accident is just … well to pose the question is just so utterly ridiculous. Maybe even crazy. Probably not mental though… I think I shall listen to it or at least some of it.
Hope all's well for you!
Good to hear from you, and thanks for the message.
I think what you're seeing there is Firefox trying to be super-clever about proactively detecting Apple phishing sites and – in this case – getting it wrong.
It's no wonder browsers might be trying to protect users from bogus Apple sites considering the prevalence of Apple-related phishing scams… but in the case of this URL, it seems pretty benign to me.
My thoughts on the driverless cars being safer: it's a blatant abuse of statistics. That's something that's so easy to do. It's something politicians abuse. It's what organisations abuse. It's what many people don't understand too.
And you're right to set those scenarios because they could happen. The idea of pseudo-randomly decidinmg who to kill is just insane. A life is a life and every life is precious. And that goes for non humans too. The thing that bothers me is: emergencies. Ambulances and other emergency vehicles. Seconds count. And they can't always follow the normal rules of traffic. Anyone who says this problem will be completely worked out is naïve. This will lead to disaster in some form or another. And again if you want to argue statistics let's go for a great example:
Approximately 55 million people died in the Second World War, right? Okay and consider how many died from Black Death. Makes those 55 million rather meaningless doesn't it? At least it would if you want to use the 'logic' the car manufacturers are using… If there are fewer deaths by their cars compared to cars with drivers and there are fewer deaths from the war to Black Death then all that matters is that there are fewer deaths: because that's what they're fixated on. Can't have it both ways. There are many other issues here too including how it would affect those in the car.
If someone is in a car that is driverless but they're a passenger thereof and it kills someone do these car manufactureres actually believe it's not going to affect them? Of course it will affect them. And what kind of person would seriously get into a car that might pseudo-randomly kill them given such a situation? I would hope they don't do that but in the end to decide who to kill is immoral and unethical from the beginning and so even if one option is more moral/ethical than the other it doesn't mean it's actually moral and ethical. Yet many people probably would. Absolutely mad.
But in the end does it matter? They'll do what gives them money and unfortunately people will go for these types of things (just like they do for the IoT…) even if they understand statistics. Laziness comes to mind. That's another issue: if you don't have to pay attention to what's going on you're going to be slower in general in reacting. And ironically that also lets your brain deteriorate some which is a great way to not reduce the chance of dementia. As someone who due to health (chronic sleep problems) can't drive (safely which means I won't do it) I am still against these cars and there's not a bloody thing I can do about it. No. The only blood that will come of it is … Well I'll not go there.
AI might have some uses but it's also a menace to society. Anyway had some great laughs (but I stopped after that part). Much appreciated.
Irony: I say that you don't have to think etc. And in the comment there are some horrible typos. Why? Because I'm on the laptop and I am so used to bigger keyboards (including the modern version of the IBM-M model… love those) – as well as the auto correct that's in Safari (but I'm in Firefox for this). If I could edit the above I would fix it – can't stand seeing typos in things I write. Worse than other types of errors, somehow …