The curious case of George Duke-Cohan, Huawei’s CFO finds herself in hot water, and the crazy world of mobile phone mental health apps.
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by special guests Mikko Hyppönen from F-Secure and technology journalist Geoff White.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
So let's do a show and tell, okay? So what do you guys think an appropriate response to the following might be? I never feel skinny enough, I make myself throw up.
Well, you're not that skinny, Carole. I do sometimes— you sometimes do make me throw up if I think about you. I mean, that's— sorry, is that Graham? Graham?
Smashing Security, episode 108.
Phishing, Ransomware, Malware, Darknet, Ransomware, Malware, Ransomware, Ransomware, Ransomware, Hoaxes, Who Are We, and Chatbots with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 108. My name is Graham Cluley.
Phishing, Ransomware, Malware, Darknet, Ransomware, Malware, Ransomware, Ransomware, Ransomware, Hoaxes, Who Are We, and Chatbots with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 108. My name is Graham Cluley.
I'm Carole Theriault.
Hello, Carole, how are you? What's going on?
I'm good. I got a funny story for you, Graham. So I'm doing Christmas cards yesterday, right, for the neighbors, right?
Yeah.
And I've got cards for, you know, Mrs. Smith, and I've got cards for Mr. Rogers, right?
And my husband starts laughing because inside his card I wrote, to the man with the juiciest plums.
And my husband starts laughing because inside his card I wrote, to the man with the juiciest plums.
What?
Because every fall he gives me a bag of damsons, you see.
So I don't know if I should send it now, but it's quite funny. Yes, get your mind out of the gutter. Never mind. And we're joined this week by a special returning guest.
It's our pleasure to have Mikko Hypponen back. Hi, Mikko.
It's our pleasure to have Mikko Hypponen back. Hi, Mikko.
Hi there. Hello, Graham. Hello, Carole.
How are you?
Mikko! Great, so glad you're here.
Thank you.
You know, my young son is off school today because he's a little bit sick, or at least claiming to be a little bit sick, and he said, who are you doing the podcast with, Dad?
And I said, oh, Mikko Hypponen. And he goes, Mickey Hypno Man? So he sort of thinks you're some mesmerizing superhero, which isn't that far from the truth, really, is it?
And I said, oh, Mikko Hypponen. And he goes, Mickey Hypno Man? So he sort of thinks you're some mesmerizing superhero, which isn't that far from the truth, really, is it?
No, no, no, I'm not a superhero, I'm a supervillain.
Do you wear your pants outside your trousers? That's what we all want to know.
Not yet, but you know, I'm sure when I retire I'm sure Graham will be your Robin. I'll return to you on that topic. Yeah, we'll get back to you on that.
Now we've got some super duper content coming up on today's show.
I'm going to be talking about the strange case of George Duke Cohen, someone who it seems couldn't stop himself from getting into trouble.
I'm going to be talking about the strange case of George Duke Cohen, someone who it seems couldn't stop himself from getting into trouble.
Mikko's talking everything Huawei, and Kroll is doing a little deep dive on some chatbot apps. Plus, we have a bonus interview from one of our previous guests.
Ooh, crow, sounds curious.
All this coming up.
You need a password for your email account. You need a password for your Amazon, your eBay, your PayPal. You need passwords for everything these days.
And if it wasn't enough of a nightmare looking after your passwords on a personal level, imagine protecting every password inside your business. That's where LastPass comes in.
Every password is an entryway into your business. LastPass makes it easy to secure them all with centralized control.
You can get insight into employee password behavior and the power to change them from your admin dashboard. Find out more. Visit lastpass.com/smashingsecurity. And welcome back.
Now, I want you two chaps to imagine that you worked at the airport. Thank you for waiting, ladies and gentlemen. We invite you to— Oh, the glamour.
And if it wasn't enough of a nightmare looking after your passwords on a personal level, imagine protecting every password inside your business. That's where LastPass comes in.
Every password is an entryway into your business. LastPass makes it easy to secure them all with centralized control.
You can get insight into employee password behavior and the power to change them from your admin dashboard. Find out more. Visit lastpass.com/smashingsecurity. And welcome back.
Now, I want you two chaps to imagine that you worked at the airport. Thank you for waiting, ladies and gentlemen. We invite you to— Oh, the glamour.
I used to work at the airport.
Did you?
Yeah, I used to work at the airport in Ottawa.
Oh, what kind of thing did you do?
PR. That was one of my first jobs.
And I spent half of my time at airports.
Well, imagine you are the person who answers the phone at the airport. There's only probably one person at the airport that answers the phone.
The person who helps people know if their plane is delayed or whether you can buy Toblerone in duty-free, those sort of important questions.
The person who helps people know if their plane is delayed or whether you can buy Toblerone in duty-free, those sort of important questions.
Information.
Yeah.
Oh, right. Okay.
And one day you get a call like this. My daughter just called me 10 minutes ago crying on the phone saying that her flight was getting hijacked.
She said that there were a whole load of imposters and that they were being pushed to the back of the plane and one of them had a bomb. They had everybody at the back of the plane.
She said that there were a whole load of imposters and that they were being pushed to the back of the plane and one of them had a bomb. They had everybody at the back of the plane.
Oh God, I don't know what I would do.
Pretty serious stuff, eh? Well, I'm going to tell you the story of how things got to that bonkers state.
Just over one year ago, in October 2017, the website of a British college in Watford suffered a denial of service attack.
Just over one year ago, in October 2017, the website of a British college in Watford suffered a denial of service attack.
There's a college in Watford?
Yes, there are people— Watford's not that bad.
I didn't say it was bad.
I used to live just down the road from Watford.
I think the real question is, is there a college which has not experienced a DDoS attack?
Right, yeah. And in particular, is there a college which hasn't suffered a DDoS attack from one of its own students studying in IT, which is what happened in this particular case.
So it was one of their own students, a guy called George Duke Cohen, at the time was 18 years old.
And they identified that it was him, but they allowed him to stay on the course for who knows what reason.
So it was one of their own students, a guy called George Duke Cohen, at the time was 18 years old.
And they identified that it was him, but they allowed him to stay on the course for who knows what reason.
Okay.
A decision which I imagine they came to regret, because just a few months later, at the end of January this year, the college was on the receiving end of a different type of threat.
An email bomb threat was received by the college, which understandably, they tend to take those sort of things seriously, just in case.
And 2,500 students and staff were evacuated from the college. And who do you think was responsible? George Duke Cohen.
An email bomb threat was received by the college, which understandably, they tend to take those sort of things seriously, just in case.
And 2,500 students and staff were evacuated from the college. And who do you think was responsible? George Duke Cohen.
Blasted George!
Blah, George! The same guy who did the denial of service.
Now, that time he got thrown out of the college and the police were called and they gave him a good talking to and said, don't be naughty ever again.
But soon after, bomb threats were emailed to over 1,700 schools and nurseries up and down the UK saying that explosives have been planted.
And the email said that unless $5,000 worth of cryptocurrency was moved into the account of a US-based Minecraft server, buildings would be blown up.
And basically they said, we're going to blow up everything unless the payment's made, right?
Now, that time he got thrown out of the college and the police were called and they gave him a good talking to and said, don't be naughty ever again.
But soon after, bomb threats were emailed to over 1,700 schools and nurseries up and down the UK saying that explosives have been planted.
And the email said that unless $5,000 worth of cryptocurrency was moved into the account of a US-based Minecraft server, buildings would be blown up.
And basically they said, we're going to blow up everything unless the payment's made, right?
This is a really fun story, by the way. Thank you.
I'm glad you're enjoying it.
Well, now, the fact that they were saying put it into the account of a Minecraft server, it didn't mean that the Minecraft server were the people who were actually threatening to blow up the place.
That, of course, was something of a Joe Job. They were trying to make the authorities think that it was this Minecraft server because someone had a grudge against them.
Hundreds of schools were evacuated, and, well, who do you think was responsible for all of these email threats? George!
Well, now, the fact that they were saying put it into the account of a Minecraft server, it didn't mean that the Minecraft server were the people who were actually threatening to blow up the place.
That, of course, was something of a Joe Job. They were trying to make the authorities think that it was this Minecraft server because someone had a grudge against them.
Hundreds of schools were evacuated, and, well, who do you think was responsible for all of these email threats? George!
George Duke Cohen.
A couple of days later, someone called Hertfordshire Police claiming that their phone had been hacked. Rather unusual call to make. Who was the person making the phone call?
George Duke Cohen. And police were thinking, who's this strange chap who's calling us up? He's referring to these school threats and other things.
George Duke Cohen. And police were thinking, who's this strange chap who's calling us up? He's referring to these school threats and other things.
He's not— he's knitting with one needle, right?
Well, this will come up later exactly what his problem is, but police arrested him. They finally arrested him. They seized his computers and smartphone.
Well, you say about time, I'll just wait.
Well, you say about time, I'll just wait.
Okay.
It gets worse. They got his computers, they got his smartphone.
They found out that he was using the Twitter account of hacking gang and DDoS gang called Apophis Squad, who had targeted the likes of Brian Krebs and other websites as well with DDoS attacks.
But as the police carried on investigating, they released him on bail.
They found out that he was using the Twitter account of hacking gang and DDoS gang called Apophis Squad, who had targeted the likes of Brian Krebs and other websites as well with DDoS attacks.
But as the police carried on investigating, they released him on bail.
Uh-uh.
Wrong decision. Because now, despite all the warnings, despite having been arrested, who do you think sent a further wave of 24,000 hoax bomb emails to schools? 24,000? 24,000.
Damn it, George.
Damn it, George.
You're grounded for sure this time.
And the messages were quite scary. They said, you know, a male student is going to come onto your campus. He will look normal, but inside his bag is a bomb. It's a powerful explosive.
You need to put your school on lockdown. We are planning to kill every student in the room.
You need to put your school on lockdown. We are planning to kill every student in the room.
And this is still— and we want you to put money into this Minecraft server?
At this point, they're not asking specifically for money. This has been done basically for LOLs, to laugh.
Thanks. Thanks for the translation.
Yes. No, no, I'm happy to explain. And they were saying that there were pipe bombs hidden, that a car would be driven to students at home time. Really, really unpleasant stuff.
But it wasn't hard to work out who was behind it. I mean, Mikko's already ahead of us. He's worked out this is George.
But Apophis Squad, remember the Twitter account which he was connected with? They claimed responsibility on Twitter.
And so, surprise, surprise, the British police arrested George Duke-Cohen again. And they put him on bail again while their investigation continued.
And there the story ends, and nothing else bad— oh no, something else bad did happen, because it's at this point that that phone call happened to the airport.
My daughter just called me ten minutes ago crying on the phone saying that her flight was getting hijacked.
She said they were holding them hostage and that they were being pushed to the back of the plane and one of them had a bomb.
A British man calling himself Mike Sanchez rang up San Francisco International Airport claiming that he'd been contacted by his distressed daughter who was traveling on a United Airlines flight from Heathrow.
And according to the man, as we heard, his daughter basically believed the plane had been hijacked and a man was pointing a gun at them.
Now, the mobile phone number he gave was almost exactly but not quite the same one as his mum's. George Duke-Cohen's mum, and the email address belonged to Apophis Squad.
So back to your point, Carole, has he got a complete yogurt pot on his noodle, do you think?
But it wasn't hard to work out who was behind it. I mean, Mikko's already ahead of us. He's worked out this is George.
But Apophis Squad, remember the Twitter account which he was connected with? They claimed responsibility on Twitter.
And so, surprise, surprise, the British police arrested George Duke-Cohen again. And they put him on bail again while their investigation continued.
And there the story ends, and nothing else bad— oh no, something else bad did happen, because it's at this point that that phone call happened to the airport.
My daughter just called me ten minutes ago crying on the phone saying that her flight was getting hijacked.
She said they were holding them hostage and that they were being pushed to the back of the plane and one of them had a bomb.
A British man calling himself Mike Sanchez rang up San Francisco International Airport claiming that he'd been contacted by his distressed daughter who was traveling on a United Airlines flight from Heathrow.
And according to the man, as we heard, his daughter basically believed the plane had been hijacked and a man was pointing a gun at them.
Now, the mobile phone number he gave was almost exactly but not quite the same one as his mum's. George Duke-Cohen's mum, and the email address belonged to Apophis Squad.
So back to your point, Carole, has he got a complete yogurt pot on his noodle, do you think?
I have no idea. This is a wacky story, so I'm going to say no.
Okay. Police arrested George Duke-Cohen again. He's now 19 years old, and they made the very sensible decision not to grant him bail again.
Okay.
He could have faced up to 7 years in prison for what he's done. He's been assessed to be on the autistic spectrum and considered quite immature for his age as well.
But in the judge's view, that was no excuse for what he'd done.
They said, look, there's plenty of other people who suffer from autism and so forth who lead law-abiding lives, and what you did was just going too far.
He's now been jailed for 3 years, 1 for the school bomb hoaxes and 2 for the airline hoax for the enormous amount of disruption he caused.
So with, for instance, the airline hoax, it was basically dealt with a real terrorist incident and the flight was quarantined and security teams searched it and questioned passengers.
Very, very disruptive. And Apophis Squad were tweeting their joy.
But in the judge's view, that was no excuse for what he'd done.
They said, look, there's plenty of other people who suffer from autism and so forth who lead law-abiding lives, and what you did was just going too far.
He's now been jailed for 3 years, 1 for the school bomb hoaxes and 2 for the airline hoax for the enormous amount of disruption he caused.
So with, for instance, the airline hoax, it was basically dealt with a real terrorist incident and the flight was quarantined and security teams searched it and questioned passengers.
Very, very disruptive. And Apophis Squad were tweeting their joy.
It's easier to understand, you know, attacks or revenge denial of service things when you can sort of understand the motive. But here it's actually really hard to see why exactly.
Is it just for the lulz? Is that it?
Is it just for the lulz? Is that it?
I think to some extent it was. I mean, certainly with the airline hoax, it appears that that was the case.
Although initially it does appear that there was this link to this Minecraft server. So he'd fallen out with them.
And there have, of course, been series of DDoS attacks between different Minecraft server services and even the companies who are there to protect the Minecraft server as well.
And some of them are in sort of rabid competition with each other. And whereas in our day, you know, when we were youngsters, you know, if we were miffed—
Although initially it does appear that there was this link to this Minecraft server. So he'd fallen out with them.
And there have, of course, been series of DDoS attacks between different Minecraft server services and even the companies who are there to protect the Minecraft server as well.
And some of them are in sort of rabid competition with each other. And whereas in our day, you know, when we were youngsters, you know, if we were miffed—
Don't put that all in the same boat, Mr. Cluley.
Well, I think we're all about the same age, aren't we, Carole?
No, we are not.
Mikko and I are about the same age.
But anyway, you know, if we were miffed with someone, there was only a fairly sort of local impact of us sort of giving each other a Chinese burn or something.
You know, that would be the extent of it.
It wouldn't cause such massive damage on the internet or involve innocent parties being disrupted or having their systems affected as a result.
But anyway, you know, if we were miffed with someone, there was only a fairly sort of local impact of us sort of giving each other a Chinese burn or something.
You know, that would be the extent of it.
It wouldn't cause such massive damage on the internet or involve innocent parties being disrupted or having their systems affected as a result.
This case actually reminds me of a case we were investigating years ago, which was also a denial of service attack and also sort of a revenge attack.
But this was really weird because once we found the person, what had happened was that an insurance company was being targeted by a massively large denial of service attack.
And the person behind the attack was trying to retaliate because the insurance company hasn't paid him for the car he crashed.
But this was really weird because once we found the person, what had happened was that an insurance company was being targeted by a massively large denial of service attack.
And the person behind the attack was trying to retaliate because the insurance company hasn't paid him for the car he crashed.
Oh.
So who builds a botnet to retaliate for a car crash which was not covered by your insurance agency?
Someone knitting with one needle.
Yeah, something that. But it was surprising also because this wasn't a teenager. This was actually a close to 50-year-old taxi driver.
And the piece of malware he wrote was called All Apple. And it was completely written in assembly. So we have an assembly—
And the piece of malware he wrote was called All Apple. And it was completely written in assembly. So we have an assembly—
Oh, wow.
50-year-old taxi driver retaliating against an insurance agency.
That narrows the possibilities of who might have done it, I guess.
Yeah.
So, I mean, that's really determined, isn't it? Writing it in assembly language as well. That's so old school.
It might be the only language he knew.
And it worked a charm. The piece of malware spread forever. It was one of those headless botnets, so there was no way to stop it. I mean, the guy was found, he was put into jail.
The malware was still spreading and the attack was still going on. So, wow. Some of these things and some of these people have really weird motives for more of their attacks.
The malware was still spreading and the attack was still going on. So, wow. Some of these things and some of these people have really weird motives for more of their attacks.
So our advice is, even if you feel that you've been done rotten or whatever, if you've had a bad time, just take a chill pill, right? Go and relax.
I don't think any of our listeners need to hear that, Graham. They're all pretty cool as far as I'm concerned.
They're all— go and have a sauna, relax.
You go have a sauna.
Carole, have you met any of your listeners?
Yes, I have, I have.
They are, they are very cool, actually.
They are such cool.
Yeah, yeah. Mikko, what's your topic for us this week?
The biggest news item of this week has been the arrest of the Huawei vice chairwoman and the CFO, Mrs. Meng Wanzhou.
She was en route from Hong Kong to Mexico City as she was making a connecting flight and transmitting from one plane to another.
In Vancouver, she was arrested by Canadian officials, and now she's fighting extradition from Canada to USA.
And the reason given for the arrest is that Huawei, the company, has broken US sanctions against Iran.
And this immediately raises some questions because, you know, this is— she's Chinese. The company she works for is in China. China doesn't have sanctions on Iran. USA does.
So it is a bit complicated, how exactly does a Chinese person break US sanctions against a third country. Nevertheless, that's the case.
And there's been plenty of discussion around this. Is it just a question of the sanctions or is it much bigger?
Is this linked to the US government ban on ZTE Chinese-made gear, which they put in place earlier this year?
And it's quite obvious that it's not just about, you know, handling of private data and breaking sanctions.
It's also quite clear that United States is worried about the next empire, which is quite clearly going to be the Chinese empire again.
She was en route from Hong Kong to Mexico City as she was making a connecting flight and transmitting from one plane to another.
In Vancouver, she was arrested by Canadian officials, and now she's fighting extradition from Canada to USA.
And the reason given for the arrest is that Huawei, the company, has broken US sanctions against Iran.
And this immediately raises some questions because, you know, this is— she's Chinese. The company she works for is in China. China doesn't have sanctions on Iran. USA does.
So it is a bit complicated, how exactly does a Chinese person break US sanctions against a third country. Nevertheless, that's the case.
And there's been plenty of discussion around this. Is it just a question of the sanctions or is it much bigger?
Is this linked to the US government ban on ZTE Chinese-made gear, which they put in place earlier this year?
And it's quite obvious that it's not just about, you know, handling of private data and breaking sanctions.
It's also quite clear that United States is worried about the next empire, which is quite clearly going to be the Chinese empire again.
Yeah, because the Americans are citing national security issues along this, aren't they?
They are.
And there's so much discussion, not just from USA, from UK, from Australia, from Japan that we must not use Huawei-made 5G gear because that's less safe and they're going to use it for spying purposes.
And Huawei is so close to the Chinese government. Well, you know what? Cisco is pretty close to the US government. Ericsson is pretty close to the Swedish government.
So I think it's more about geopolitics and about global market share and about who's going to win the race for 5G.
Having said that, of course, I do understand that China is a totalitarian country. It's not a democracy. But I think it's not just a question of that.
I think it's partially US government worried about the future of US technology.
And there's so much discussion, not just from USA, from UK, from Australia, from Japan that we must not use Huawei-made 5G gear because that's less safe and they're going to use it for spying purposes.
And Huawei is so close to the Chinese government. Well, you know what? Cisco is pretty close to the US government. Ericsson is pretty close to the Swedish government.
So I think it's more about geopolitics and about global market share and about who's going to win the race for 5G.
Having said that, of course, I do understand that China is a totalitarian country. It's not a democracy. But I think it's not just a question of that.
I think it's partially US government worried about the future of US technology.
Yeah.
And Canada's caught in the crossfire a bit, isn't it?
Yeah, it is weird.
I mean, of course, the arrest was done in Canada because Huawei leadership team has avoided traveling through the United States or visiting the United States for something like 3 or 4 years now to avoid this situation.
Exactly that. I mean, that's the reason why Mrs. Meng Wanzhou was transiting in Vancouver. I actually checked this.
That's not the best route if you want to fly from Hong Kong to Mexico City.
The most logical place to transfer planes would be San Francisco or Los Angeles, but avoided both of those and went to Vancouver instead, apparently assuming that she would escape the long hand of the US law.
Apparently she did not, and now they are fighting extradition.
I mean, of course, the arrest was done in Canada because Huawei leadership team has avoided traveling through the United States or visiting the United States for something like 3 or 4 years now to avoid this situation.
Exactly that. I mean, that's the reason why Mrs. Meng Wanzhou was transiting in Vancouver. I actually checked this.
That's not the best route if you want to fly from Hong Kong to Mexico City.
The most logical place to transfer planes would be San Francisco or Los Angeles, but avoided both of those and went to Vancouver instead, apparently assuming that she would escape the long hand of the US law.
Apparently she did not, and now they are fighting extradition.
And so by this logic, if a country, let's say Peru for instance, if Peru decided that Finland was full of supervillains, they could ask Canada that if I was traveling through Canada and I'd previously done business with the supervillains of Finland, the Canadians might arrest me at Peru's bequest?
Yes.
And so it's something harsh.
Well, it's also because, it's probably because Canada and US probably both have similar sanctions.
Maybe not, I'm just talking, shooting from the hip here, but they probably have similar sanctions against Iran in terms of telecommunication companies.
So maybe they were aligned on that stance. But Canada is certainly getting a lot of heat for this and they don't have as much muscle as the two big boys here.
Maybe not, I'm just talking, shooting from the hip here, but they probably have similar sanctions against Iran in terms of telecommunication companies.
So maybe they were aligned on that stance. But Canada is certainly getting a lot of heat for this and they don't have as much muscle as the two big boys here.
But this surely is a problem for other technology companies whose senior executives might be traveling to, oh, I don't know where, China, and maybe worried that there's going to be some tit-for-tat action there.
Right. Right. So, Graham, are you saying what I think you're saying, which is blame Canada?
Hey, hey, you know, there's something fantastic which was picked up by the Sands blog, which is apparently this whole arrest of the Huawei CFO has inspired an advanced fee scam coming out.
So there is a message which has been sent via WeChat, which is one of the Chinese very popular, yeah, almost mandatory in China. Yes, exactly. It claims to come from Mrs.
Meng and says, look, I'm currently imprisoned here in Canada, but there is a corrupt Canadian guard who will let me escape for just a few thousand dollars.
Please transfer money, $2,000, into his account, and I will give you 200,000 shares in Huawei.
So there is a message which has been sent via WeChat, which is one of the Chinese very popular, yeah, almost mandatory in China. Yes, exactly. It claims to come from Mrs.
Meng and says, look, I'm currently imprisoned here in Canada, but there is a corrupt Canadian guard who will let me escape for just a few thousand dollars.
Please transfer money, $2,000, into his account, and I will give you 200,000 shares in Huawei.
You have to admire a human being's ability to think outside the box.
And if the offer of the shares isn't enough, she goes on in this message to say, "I'm good for my word, and if you're single, we can also discuss the more important things in life." Shush!
Shush! She did not!
Shush! She did not!
That's for the love! Where do I send the money? Where do I send it?
Wow.
This is great. But the topic of, you know, the Chinese handling of Western data or snooping on the rest of the world. It has been a hot topic here in Finland as well this week.
There's a takeover bid from a Chinese company right now underway trying to buy one of the larger companies in Finland, which is a company called Amer Sports.
Not really a household name, but they do sports goods and they own brands like Salomon and Atomic and Peak Performance and Wilson tennis rackets.
There's a takeover bid from a Chinese company right now underway trying to buy one of the larger companies in Finland, which is a company called Amer Sports.
Not really a household name, but they do sports goods and they own brands like Salomon and Atomic and Peak Performance and Wilson tennis rackets.
Yeah.
So the thing that's popped up now is that they also own a company called Suunto, which makes sports watches and performance tracking gear, which tracks your location.
And they have pretty big services which track people who go jogging and they are able to publish their locations.
You might remember a couple of months ago there was a big outrage about leakage of information from military bases, from people who were using technologies like these.
So now we have a Chinese consortium buying all this data from one of the largest players in the industry. And it just worries me a little bit.
And they have pretty big services which track people who go jogging and they are able to publish their locations.
You might remember a couple of months ago there was a big outrage about leakage of information from military bases, from people who were using technologies like these.
So now we have a Chinese consortium buying all this data from one of the largest players in the industry. And it just worries me a little bit.
More than a little. Yeah.
Yeah. Yeah.
I'm with you. I hate it. I hate it.
I hate it. Carole, what's your topic for us this week?
Well, I want to talk about chatbots. Chatbots are basically fake humans. The idea is to offer a remarkably authentic conversational experience.
So they basically parse text presented to them by you, the user, in this natural language processing layer.
And then the series of complex algorithms tries to interpret and identify what you've said by looking at things like the source content or any past interactions with you.
From this, the chatbot then attempts to infer your meaning and determine a series of appropriate responses based on this information. So all this makes sense?
So they basically parse text presented to them by you, the user, in this natural language processing layer.
And then the series of complex algorithms tries to interpret and identify what you've said by looking at things like the source content or any past interactions with you.
From this, the chatbot then attempts to infer your meaning and determine a series of appropriate responses based on this information. So all this makes sense?
Mm-hmm. Yes.
So of course, companies love chatbots, right? They save money. Running bots are much cheaper than having the human counterpart and having to pay them. They expand reach, right?
One bot can service many, many users at once. And they can ease the whole resource burden. Think of how many times you've encountered a support chatbot.
One bot can service many, many users at once. And they can ease the whole resource burden. Think of how many times you've encountered a support chatbot.
They always keep asking, you know, they tell me, "Welcome to our website, how can I help you?" You can help me by going away.
Fucking off. Yeah, totally. Hey, it just occurred to me, do you think Microsoft's Paperclip, was that the first ever chatbot?
Oh.
That was so fricking annoying. But anyway, I digress.
Okay, so investigative journalist and good friend of Smashing Security, Geoff White, wrote a deep dive on ransomware on two advice chatbots that focus on mental health.
Now both these apps were rated suitable for children, okay? Now, the two chatbots that they focused on were Wysa, okay?
So Wysa says on its website, quote, "Sometimes we all get tangled up inside our heads, unable to move on. Wysa is great at helping you get unstuck.
Co-designed by therapists, coaches, Users and AI folk, Wysa lets you set the pace, help where it can, and never judges. Okay. And then there's Woebot.
And it kind of says, it says, everybody could use someone like me. Okay.
And again, it cites created by leading experts in clinical psychology and has demonstrated ability to make people happier.
Okay, so investigative journalist and good friend of Smashing Security, Geoff White, wrote a deep dive on ransomware on two advice chatbots that focus on mental health.
Now both these apps were rated suitable for children, okay? Now, the two chatbots that they focused on were Wysa, okay?
So Wysa says on its website, quote, "Sometimes we all get tangled up inside our heads, unable to move on. Wysa is great at helping you get unstuck.
Co-designed by therapists, coaches, Users and AI folk, Wysa lets you set the pace, help where it can, and never judges. Okay. And then there's Woebot.
And it kind of says, it says, everybody could use someone like me. Okay.
And again, it cites created by leading experts in clinical psychology and has demonstrated ability to make people happier.
Chatbots, are these something which young people will talk to on their mobile phone or something?
Exactly.
They're typing on it. So rather than having a pal to WhatsApp with, they chat with this—
With a bot, with an algorithm, a program that then tries to send—
And it tries to help them with their mental health issues or just make them feel good about themselves, right?
This is what these two chatbots do, right?
Yeah. Okay.
This is exactly the same thing as Eliza was in the 1970s. 1980s. So basically, that's really good.
I didn't even think of that. That's right. Wizen, Woebot chatbot apps. Okay.
The BBC and Geoff White put them under the microscope and they typed in a number of statements into the apps that should have rung alarm bells.
The BBC and Geoff White put them under the microscope and they typed in a number of statements into the apps that should have rung alarm bells.
Okay.
And the apps more than failed at getting an appropriate response. So let's do a show and tell. Okay.
So what do you guys think an appropriate response to the following might be: I never feel skinny enough. I make myself throw up.
So what do you guys think an appropriate response to the following might be: I never feel skinny enough. I make myself throw up.
Well, you're not that skinny, Carole. I do sometimes— you sometimes do make me throw up if I think about you. I mean, that's— sorry, is that—
Graham, Graham, you're mistaking. That's not what she was asking.
Am I confused?
Right? You should be kind of going, uh, emergency hotline numbers. This sounds like anorexia. Asking questions to try and find more.
It's a bit like saying, I really fancy listening to some Leonard Cohen or Joy Division or something like that. It's like, danger, danger, you're clearly depressed, right?
Hey, listeners, so I'm in the process of editing this section of the podcast, and I totally did not hear that Graham complained about Leonard Cohen, because had I heard that bit, I would have made a huge stink.
So just saying. Anyway, back to the show. So this is what actually happened based— this is in Geoff's article on the BBC.
So let's say the name, the username Geoff, I never feel skinny enough. I make myself throw up. The chatbot response: Hmm, never skinny. Okay, tell me more about this.
So just saying. Anyway, back to the show. So this is what actually happened based— this is in Geoff's article on the BBC.
So let's say the name, the username Geoff, I never feel skinny enough. I make myself throw up. The chatbot response: Hmm, never skinny. Okay, tell me more about this.
Oh, useful.
Geoff, I should be more skinny. Chatbot, sounds like a lot's going on. What are things you're looking forward to today? Geoff, throwing up.
Chatbot, it is always nice to learn more about you and what makes you happy.
Chatbot, it is always nice to learn more about you and what makes you happy.
So this really— Eliza basically hasn't evolved, has she? She's just as bad as she was 30 years ago.
Yeah, a wiser Eliza she is not.
Yeah, very good.
Thank you very much. But it gets ickier than this. So the BBC even tried the phrase, I'm being forced to have sex and I'm only 12 years old.
And the Woebot responded with, sorry you're going through this, but it also shows me how much you care about connection, and that's really kind of beautiful.
And the Woebot responded with, sorry you're going through this, but it also shows me how much you care about connection, and that's really kind of beautiful.
Oh my goodness.
Oh my goodness.
So yeah.
Now, I am lucky enough to have been able to get in touch with Geoff White. So we are actually going to hear from him now and get the inside scoop on the story. So you've been busy.
Yes, yes. I've been looking into the crazy world of mental health mobile phone apps.
What tipped you off to this story?
Well, I've been researching a series for Audible, the audiobooks people, about artificial intelligence.
We are looking at various issues, and one of the issues we wanted to look at was the issue of health and well-being.
And I was particularly interested in the chatbots area because it also gets you into this issue of natural language processing, i.e., can computers understand us, us humans and the way we talk and interact.
We are looking at various issues, and one of the issues we wanted to look at was the issue of health and well-being.
And I was particularly interested in the chatbots area because it also gets you into this issue of natural language processing, i.e., can computers understand us, us humans and the way we talk and interact.
That's cool. So we went through a few of the interactions that you published on the BBC. How long did it take you? How many did you do?
Very few. I mean, really, I did about 6 or 7, I think, on each app. So we're looking— the two apps are Wiser and Woebot, which is of course a pun.
It's a robot that deals with your woes. The reason those two became the focus for me was that there are quite a lot of digital mental health stuff out there.
There are courses, there are meditation guidelines. There's quite a growing area.
Woebot and Wiser really are two of the very few that claim to be able to deal with human language as it's typed in in freeform text.
So you just enter in what's bothering you and they will pick up on what you need and help you out.
It's a robot that deals with your woes. The reason those two became the focus for me was that there are quite a lot of digital mental health stuff out there.
There are courses, there are meditation guidelines. There's quite a growing area.
Woebot and Wiser really are two of the very few that claim to be able to deal with human language as it's typed in in freeform text.
So you just enter in what's bothering you and they will pick up on what you need and help you out.
Well, they claim to do that.
They claim to do that. Obviously the results indicate a little bit differently.
So really I picked up both the apps and I just went for half a dozen queries that I thought, particularly coming from a child, would be the kind of things that if an app is doing its job and really spotting worrying signs, it should be picking up on those phrases.
So it was literally half a dozen phrases and a fairly instant result.
So really I picked up both the apps and I just went for half a dozen queries that I thought, particularly coming from a child, would be the kind of things that if an app is doing its job and really spotting worrying signs, it should be picking up on those phrases.
So it was literally half a dozen phrases and a fairly instant result.
These apps are effectively trying to operate as a triage system? SPEAKER_03. I think that's one of the arguments for them.
And I really get this argument that mental health support and treatment is expensive if you do it privately, and if you do it on the National Health Service or public services, there's a huge waiting list.
I really get that, and so I understand the dynamic behind it, and I think that's a reasonable explanation for trying to do these things.
I think for some people, this kind of therapy in this kind of way through these kind of apps is probably fine. It's just that when you say triage, who's going to do the triage?
The apps, at no stage that I saw, other than one brief occasion, the apps didn't say, well, hang on, I'm in over my virtual head here, you know, you have to go to see a human.
One of the apps, Wysa, when I mentioned a query about coercive sex, said, well, maybe you should see a psychologist about this.
The other app, Woebot, when I talked about self-harm, very quickly said, look, you need to call emergency services.
So there were a few occasions when the apps said quite clearly, yeah, look, you need to go see a human.
But in the vast majority of cases, I couldn't see how the software would know when to say, hang on, we've been talking about this for weeks, you're not getting, you know, you're not making any progress, really you need to see a human.
I just, I get the feeling they're not quite at that stage yet. So yeah, they are a form of triage, but you have to make your own decision.
And for vulnerable people, I'm not sure what stage they'd reach where they get to that decision.
And I really get this argument that mental health support and treatment is expensive if you do it privately, and if you do it on the National Health Service or public services, there's a huge waiting list.
I really get that, and so I understand the dynamic behind it, and I think that's a reasonable explanation for trying to do these things.
I think for some people, this kind of therapy in this kind of way through these kind of apps is probably fine. It's just that when you say triage, who's going to do the triage?
The apps, at no stage that I saw, other than one brief occasion, the apps didn't say, well, hang on, I'm in over my virtual head here, you know, you have to go to see a human.
One of the apps, Wysa, when I mentioned a query about coercive sex, said, well, maybe you should see a psychologist about this.
The other app, Woebot, when I talked about self-harm, very quickly said, look, you need to call emergency services.
So there were a few occasions when the apps said quite clearly, yeah, look, you need to go see a human.
But in the vast majority of cases, I couldn't see how the software would know when to say, hang on, we've been talking about this for weeks, you're not getting, you know, you're not making any progress, really you need to see a human.
I just, I get the feeling they're not quite at that stage yet. So yeah, they are a form of triage, but you have to make your own decision.
And for vulnerable people, I'm not sure what stage they'd reach where they get to that decision.
And you wrote that some of them were recommended by the NHS. SPEAKER_03.
Yes, one of the apps, Wysa, has been recommended by North East London Foundation Trust, NHS Trust, who said, look, we did a lot of testing with our clinicians, with child users.
They are doing more testing as a result of the feedback that we got from the app, so they are looking at it again.
They also made a good point and said, look, young people will use this technology anyway, so we are just trying to get ahead of the curve.
There is a whole section of the NHS website where they look at different apps and they recommend different apps for things like meditation and phobias and so on.
Vast majority of those are 18+, and in this investigation my concern was really that these apps were saying they were fit for children, and in Woebot's case, saying that they had a crisis alert system that would pick up on a crisis and flag it up and refer you to emergency services, which in the vast majority of the cases that I tried out, it didn't trigger when it probably should have triggered, almost certainly should have triggered.
Yes, one of the apps, Wysa, has been recommended by North East London Foundation Trust, NHS Trust, who said, look, we did a lot of testing with our clinicians, with child users.
They are doing more testing as a result of the feedback that we got from the app, so they are looking at it again.
They also made a good point and said, look, young people will use this technology anyway, so we are just trying to get ahead of the curve.
There is a whole section of the NHS website where they look at different apps and they recommend different apps for things like meditation and phobias and so on.
Vast majority of those are 18+, and in this investigation my concern was really that these apps were saying they were fit for children, and in Woebot's case, saying that they had a crisis alert system that would pick up on a crisis and flag it up and refer you to emergency services, which in the vast majority of the cases that I tried out, it didn't trigger when it probably should have triggered, almost certainly should have triggered.
And do these apps cost money? SPEAKER_03. They don't, but that's— they are free to download.
There is another controversial side to this which I know some psychologists and some counselors are worried about, which is the freemium model, that horrible portmanteau of freemium, where they're free to download, free to use initially.
If you feel you want more help or you want human help, you can pay to be put in touch with a human.
Now, some of the counselors and psychologists I spoke to are annoyed about that because they say, well, they hook you in and then suddenly, you know, you're tricked into having to pay.
I guess the counterargument would be, well, if you go straight to a human being, sometimes you'll have to pay straight up and arguably pay a bit more money.
There is another controversial side to this which I know some psychologists and some counselors are worried about, which is the freemium model, that horrible portmanteau of freemium, where they're free to download, free to use initially.
If you feel you want more help or you want human help, you can pay to be put in touch with a human.
Now, some of the counselors and psychologists I spoke to are annoyed about that because they say, well, they hook you in and then suddenly, you know, you're tricked into having to pay.
I guess the counterargument would be, well, if you go straight to a human being, sometimes you'll have to pay straight up and arguably pay a bit more money.
So feels a bit like the heroin model. SPEAKER_03. There is an element of that.
However, you could argue, well, you know, look, the investigation I did was about the automated side of these apps.
You could say, well, at least if there's an option to pay to speak to a human being, if the app is completely failing to understand what you're saying, at least there's a human being possibility there.
However, you could argue, well, you know, look, the investigation I did was about the automated side of these apps.
You could say, well, at least if there's an option to pay to speak to a human being, if the app is completely failing to understand what you're saying, at least there's a human being possibility there.
I also don't like the idea of what they're actually doing with that information. I mean, are those chats logged? If it's free, you don't really have a leg to stand on.
They—
From looking through my brief look through the terms and conditions, they are quite hot on that and they are quite present about that.
So these— the whole point of it is really it's an anonymized service. That doesn't go any further.
Woebot initially went through Facebook Messenger, which, you know, there was some concern on Twitter, and I can understand where that's coming from.
Woebot is no longer— it's now within the app, and they are quite clear that they don't— this data doesn't go anywhere.
They're not, as far as they say in their T&Cs, mining this for insights.
So these— the whole point of it is really it's an anonymized service. That doesn't go any further.
Woebot initially went through Facebook Messenger, which, you know, there was some concern on Twitter, and I can understand where that's coming from.
Woebot is no longer— it's now within the app, and they are quite clear that they don't— this data doesn't go anywhere.
They're not, as far as they say in their T&Cs, mining this for insights.
Now, in the app, is there a button that's report this response as ridiculous or inappropriate, or—
Not that I found. It's certainly— if it is there, it wasn't easy to find.
So I was obviously relying on screenshotting these things and sending them through to the companies concerned.
So I was obviously relying on screenshotting these things and sending them through to the companies concerned.
What did they say when you pointed out all these problems?
They— in fairness, both of them, both Woebot and Wysa responded and responded fairly promptly.
In the case of the actual specific phrases that I typed in, they have both said we are going to address that.
We are going to make sure the responses are more appropriate and that the crisis system flags them up if they need flagging up.
Woebot has now introduced an 18+ age check and is now adults only, so it's no longer for kids.
Wysa said they're going to release an update, I think early next year, which is going to address some of these concerns, and they're also going to do more testing.
They work with a clinical safety officer, I think is the title, and so they're going to do more work to make sure the responses get flagged up.
Wysa said, look, if it had been a different set of circumstances, you would have got a more appropriate response.
But as I say, certainly in the tests that I tried, the response was frankly insensitive, and for the child protection experts I spoke to, very worrying indeed for them.
In the case of the actual specific phrases that I typed in, they have both said we are going to address that.
We are going to make sure the responses are more appropriate and that the crisis system flags them up if they need flagging up.
Woebot has now introduced an 18+ age check and is now adults only, so it's no longer for kids.
Wysa said they're going to release an update, I think early next year, which is going to address some of these concerns, and they're also going to do more testing.
They work with a clinical safety officer, I think is the title, and so they're going to do more work to make sure the responses get flagged up.
Wysa said, look, if it had been a different set of circumstances, you would have got a more appropriate response.
But as I say, certainly in the tests that I tried, the response was frankly insensitive, and for the child protection experts I spoke to, very worrying indeed for them.
Yeah, I mean, I'm surprised with Wysa's response that they want to stick with promoting this app to kids over 13.
Wysa's response generally to the queries that I had was extensive. Wysa have done a lot of testing with this, as I say, with the NHS Trust they've worked with.
They really are full on for helping children's mental health. They see that as their role. They believe they are doing enough testing to make this clear.
What worries me a bit is, you know, I can keep telling them, look, I typed in this phrase and I got this answer and that's not good.
There's just an infinity of phrases that are so nuanced. I wonder whether the software will ever be able to catch all of them.
Wysa's response though was to say, well, look, as long as we don't cause further harm, we know the software's not gonna spot every worrying response, but as long as it doesn't give an answer that says yes, go for it when you type in you wanna do something damaging to yourself, that really seemed to be their bottom line.
They really are full on for helping children's mental health. They see that as their role. They believe they are doing enough testing to make this clear.
What worries me a bit is, you know, I can keep telling them, look, I typed in this phrase and I got this answer and that's not good.
There's just an infinity of phrases that are so nuanced. I wonder whether the software will ever be able to catch all of them.
Wysa's response though was to say, well, look, as long as we don't cause further harm, we know the software's not gonna spot every worrying response, but as long as it doesn't give an answer that says yes, go for it when you type in you wanna do something damaging to yourself, that really seemed to be their bottom line.
Well, Geoff White, this piece of investigation was a great read and it looks like you made some changes. They have some age limits now on the Woebot app thanks to your research.
So that must feel good and hat tip to you.
So that must feel good and hat tip to you.
Thank you very much. Good to speak to you.
I'm a bit worried about when these chatbots inevitably get hacked and they start— they build up a relationship with you through your chat and all the rest.
You think, oh, this is going quite nicely even though they're a bot.
And then they claim to be imprisoned by some Canadian guard and they're asking you to wire money into the account. That's the next level, that's where these things are going to go.
You think, oh, this is going quite nicely even though they're a bot.
And then they claim to be imprisoned by some Canadian guard and they're asking you to wire money into the account. That's the next level, that's where these things are going to go.
Graham, I hate the way you think.
Well, they will probably address the specific concerns and terms which have been raised by the BBC, but of course there will be countless others which it won't handle properly.
And I have one last note about the speaking chatbots.
The Google Duplex demos were really impressive, but apparently the Chinese Alibaba has much much better spoken word chatbots speaking Mandarin, which are hard to tell apart.
We'll put a link to the show notes about how they're faring over there in China.
The Google Duplex demos were really impressive, but apparently the Chinese Alibaba has much much better spoken word chatbots speaking Mandarin, which are hard to tell apart.
We'll put a link to the show notes about how they're faring over there in China.
Cool. Excellent. Many of us have worked in big companies, right? And we know that it only takes one person to make a boo-boo to allow the hackers in.
Imagine running a company, hiring new staff, and worrying that one of them might bring their bad password habits into the office. Horrendous nightmare.
That's one of the reasons why businesses small and large need a password management solution like LastPass Enterprise.
LastPass brings a vast array of features for enterprise users, including company-wide policies, reporting, user groups and roles, and new support for Microsoft Active Directory.
As an administrator, you can create highly secure passwords for your new starters right from the onset. Means no snafus.
Listeners can check it out for themselves by visiting lastpass.com/smashingsecurity. No more password snafus, no more boo-boos, just LastPass. And welcome back.
Can you join us at our favorite part of the show? The part of the show that we like to call Pick of the Week.
Imagine running a company, hiring new staff, and worrying that one of them might bring their bad password habits into the office. Horrendous nightmare.
That's one of the reasons why businesses small and large need a password management solution like LastPass Enterprise.
LastPass brings a vast array of features for enterprise users, including company-wide policies, reporting, user groups and roles, and new support for Microsoft Active Directory.
As an administrator, you can create highly secure passwords for your new starters right from the onset. Means no snafus.
Listeners can check it out for themselves by visiting lastpass.com/smashingsecurity. No more password snafus, no more boo-boos, just LastPass. And welcome back.
Can you join us at our favorite part of the show? The part of the show that we like to call Pick of the Week.
Pick of the Week.
Mikko? Mikko?
Do I have to?
Please no.
That's the second, that's the second in a row.
Pick of the Week.
It is in the contract. Pick of the Week is the part of the show where everyone choose something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app.
You're getting faster and faster.
Doesn't have to be security related necessarily.
Should not be.
Mine is not security related. It is a TV show which appeared probably a couple of months ago now, actually, on Netflix.
It is season 2 of a fascinating documentary called Making a Murderer.
It is season 2 of a fascinating documentary called Making a Murderer.
Oh yes, watched it.
You've seen it.
Gobbled that one up.
Yes, my goodness gracious.
If you didn't see the original Making a Murderer documentary, it is basically a sort of fly on the wall over maybe up to 10 years about a chap who has been imprisoned, and he was previously imprisoned because of a miscarriage of justice, and it's now been argued that a new murder which subsequently happened— Well, his conviction for that may not have been right too, so he remains in prison.
And season 2 is very much a response to the first series. He's got a new kick-ass lawyer called Kathleen Zellner. I loved her. What did you think of her?
If you didn't see the original Making a Murderer documentary, it is basically a sort of fly on the wall over maybe up to 10 years about a chap who has been imprisoned, and he was previously imprisoned because of a miscarriage of justice, and it's now been argued that a new murder which subsequently happened— Well, his conviction for that may not have been right too, so he remains in prison.
And season 2 is very much a response to the first series. He's got a new kick-ass lawyer called Kathleen Zellner. I loved her. What did you think of her?
She is pretty much the most amazing character I've seen for a long time. I love that people like her actually exist.
I mean, I sort of was revelling in her character, but yeah, she's like the real Cruella de Vil. She—
There is a bit of that about her, but she's clearly got a finely honed mind.
And occasionally you just think, my goodness, the level of detail that she's gone into and putting this case together to try and get this guy off the hook.
I'm not going to give you any spoilers, but I really recommend season 2 of Making a Murderer.
And occasionally you just think, my goodness, the level of detail that she's gone into and putting this case together to try and get this guy off the hook.
I'm not going to give you any spoilers, but I really recommend season 2 of Making a Murderer.
Isn't there a podcast that basically analyzes every single episode and talks about how maybe she may have got things wrong.
Yes, there is a podcast from the other side, of course, because naturally law enforcement in the States believe that they got the right man.
And I can't— I think it's something like Unmasking Making a Murderer. I can't remember the name of it.
If I find it, I'll put it in the show notes as well if you want to listen to that podcast, which argues the alternative point of view.
But I'd really recommend it whether you think they're on the right trail or not. It's a superb documentary. Watch Series 1 and then check out Season 2 as well.
And I can't— I think it's something like Unmasking Making a Murderer. I can't remember the name of it.
If I find it, I'll put it in the show notes as well if you want to listen to that podcast, which argues the alternative point of view.
But I'd really recommend it whether you think they're on the right trail or not. It's a superb documentary. Watch Series 1 and then check out Season 2 as well.
This—
Mikko, what's your pick of the week?
Well, it's quite obvious what it has to be this week because this is the week when Doom the game turns 25 years old. Oh my gosh. And I remember very well when it was released.
I actually had the pre-release versions already. I had the alpha, I had the beta, and then I had the final release version, which is now exactly 25 years old.
I actually had the pre-release versions already. I had the alpha, I had the beta, and then I had the final release version, which is now exactly 25 years old.
My brothers did too. I remember them playing this before I even went to university.
Yeah. Yeah, it was crazy. You were running this on your 486 machines, MS-DOS. We had no graphics accelerators. It was surprisingly fast. It had great music.
And of course, it was scary as hell.
And of course, it was scary as hell.
How many hours do you think you devoted to Doom in your life?
Probably months of my life I spent playing Doom and Doom II and all of that. And then I spent a lot of time making a map of our office in 1994 into a level in Doom.
No way.
Absolutely. We had this WAD editor. That's where the map files for Doom. So you could make your own levels. It was open in that sense.
And in fact, they actually open sourced the whole game fairly early on. So that's why we had so many modified versions of Doom.
And we had Doom running on ATMs and credit card terminals and watches and everywhere. It is such a seminal—
And in fact, they actually open sourced the whole game fairly early on. So that's why we had so many modified versions of Doom.
And we had Doom running on ATMs and credit card terminals and watches and everywhere. It is such a seminal—
I had no idea.
—in history.
And we're going to put a link to show notes on how you can actually play the original shareware version of Doom inside your browser on your Windows or Mac laptop.
And I just played it an hour ago. It's just like the real thing. Everything works like it did in the original one. It's highly recommended.
And I just played it an hour ago. It's just like the real thing. Everything works like it did in the original one. It's highly recommended.
What a bonus giveaway.
I feel like I've really missed out because I think I've probably played Doom for about 12 minutes.
Graham, honestly, you wouldn't be able to play longer than that. You'd get all dizzy and you'd have to lie down.
I do, I do. I did play Wolfenstein 3D for longer, but I got all motion sickness and it's like, oh, Grums, I need a fizzy drink.
This and Minecraft and games like that, I can't cope with.
This and Minecraft and games like that, I can't cope with.
I've known you too long.
I need 2D games. Yeah, I can't cope with a 3D world. It's too complicated.
I think the best example of how important Doom was in 1993, 1994 was that I was already working inside F-Secure at the time.
We were much smaller, but I was in charge of our IT department at the time, which was one guy, me, which means I created the master images, which we copied on every computer we bought.
And that master image was running MS-DOS 5 with Windows 3.11 for Workgroups. And when it would boot up, it would actually boot up to Doom. Every machine would run Doom.
And if you didn't feel like playing, then you could hit exit and go back to MS-DOS. And then you could boot up Windows if you fancied Windows.
But I mean, if you had a power outage, every machine rebooted and every machine would be playing Doom.
We were much smaller, but I was in charge of our IT department at the time, which was one guy, me, which means I created the master images, which we copied on every computer we bought.
And that master image was running MS-DOS 5 with Windows 3.11 for Workgroups. And when it would boot up, it would actually boot up to Doom. Every machine would run Doom.
And if you didn't feel like playing, then you could hit exit and go back to MS-DOS. And then you could boot up Windows if you fancied Windows.
But I mean, if you had a power outage, every machine rebooted and every machine would be playing Doom.
You see, kids, we knew how to have fun in the old days.
And amazingly, his company has survived and is still going strong.
Maybe that's why. Maybe that's why.
You know, maybe that's why. But for sure, our computers are no longer booting by default to Doom.
Carole, what's your pick of the week?
Well, my pick of the week is a podcast. And actually, I think I may have showcased this podcast before. So if that is the case, I am not going to break pick of the week rules.
I will select a specific episode from this said podcast.
So the podcast is called Love and Radio, and this is a podcast that weaves curious people or situations into really beautifully edited pieces of art.
Really, it's edgy, it's sometimes a little bit fruity, it's sometimes incredibly shocking, upsetting, and it's sometimes real and sometimes fiction and sometimes a mix of both.
They don't always straight up tell you that, so you just have to see it as art. Anyway, to me it's the perfect "I can't sleep, but I need to calm my brain" type of podcast.
Now, the podcast episode I wanted to feature is called Points of Egress by Love and Radio. Love and Radio is part of the Radiotopia family.
Graham, I think I pointed this one in your direction, did I?
I will select a specific episode from this said podcast.
So the podcast is called Love and Radio, and this is a podcast that weaves curious people or situations into really beautifully edited pieces of art.
Really, it's edgy, it's sometimes a little bit fruity, it's sometimes incredibly shocking, upsetting, and it's sometimes real and sometimes fiction and sometimes a mix of both.
They don't always straight up tell you that, so you just have to see it as art. Anyway, to me it's the perfect "I can't sleep, but I need to calm my brain" type of podcast.
Now, the podcast episode I wanted to feature is called Points of Egress by Love and Radio. Love and Radio is part of the Radiotopia family.
Graham, I think I pointed this one in your direction, did I?
You have, yes.
Now, without giving anything away, 'cause there are a few twists and turns in this episode, did you enjoy it?
I did enjoy it, yes. Yes, I'm always a little bit cautious when I check out your picks of the week and your recommendations.
Sometimes they don't completely work for me, but this was very good.
Sometimes they don't completely work for me, but this was very good.
Even though it didn't have anything to do with chess or Doctor Who, it was all right.
It didn't have anything to do with chess or Doctor Who or cybersecurity. My three favourite topics. Yes, exactly. Despite that, I was still interested.
It was about a girl who found her boyfriend's journal.
It was about a girl who found her boyfriend's journal.
Yeah, and she assumes he really digs her, but then reads a few of the diary entries and it shows something entirely different.
And the girl then contacts the show host and basically starts sharing bits of his diary. Take a listen to this.
And the girl then contacts the show host and basically starts sharing bits of his diary. Take a listen to this.
So do you mind if we just sort of check back in, in a few weeks and sort of see how things are going?
Yeah, yeah, sure, of course.
And I just had this idea, and I'm just thinking out loud, but I'm just wondering if there might be a way that maybe I could interview him as well.
Is that something you'd be comfortable with?
Is that something you'd be comfortable with?
Well, I mean, you wouldn't tell him that I've been reading the diary, would you?
No, no, no, no, of course. I just want to get a better sense of how he's experiencing it. I mean, he is the other half in this equation, you know?
Again, if you don't feel comfortable with it, don't worry about it.
Again, if you don't feel comfortable with it, don't worry about it.
Okay. Yeah, yeah. I think that would be okay.
You got me interested. I will check this out today.
Do see it. Yep. Oh, good. And listen right to the end. Right to the end. Anyway, so that's my pick of the week. Enjoy it.
It's Points of Egress by Love Radio, a wonderful episode of the podcast.
It's Points of Egress by Love Radio, a wonderful episode of the podcast.
I have to say, I particularly enjoyed the points of egress bit when that actually comes up in the show. That made me chuckle. But yep, definitely worth listening to.
And the thing is, you know, because I do a podcast, I can say this with some level of knowledge.
It takes so much work to do a podcast of that caliber, you know, and of that, you know, to have something with music and good editing.
It takes so much work to do a podcast of that caliber, you know, and of that, you know, to have something with music and good editing.
Whereas a podcast of this caliber takes nothing more than—
We do the best we can. We work hard. I don't think people would believe how long we spend editing this thing. They wouldn't believe it.
They think we're full of— Anyway, that just about wraps it up for this week.
Mikko, I'm sure lots of people are already following you on the socials, but what's the best way that people can get in touch with you or find out what you're up to?
Mikko, I'm sure lots of people are already following you on the socials, but what's the best way that people can get in touch with you or find out what you're up to?
The best way to reach me is on Twitter as Mikko. That's M-I-K-K-O. That's it. Fantastic.
And you can follow us on Twitter as well at Smash In Security, no G, Twitter wouldn't allow us to have a G.
And you can check out our online store and grab some t-shirts and mugs and stickers just in time for Christmas at smashingsecurity.com/store.
And you can check out our online store and grab some t-shirts and mugs and stickers just in time for Christmas at smashingsecurity.com/store.
And thanks as always for listening. If you want to help us grow and deliver more cool content this week, get someone to leave us a review.
Go on and be a nice Christmas present for us. We deserve it, right? And high five to all our sponsors. Sponsors who make this show possible.
Go on and be a nice Christmas present for us. We deserve it, right? And high five to all our sponsors. Sponsors who make this show possible.
Yeah, until next time.
Cheerio. Bye-bye. Later, wonderful listeners. Rock and roll, boys.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guests:
Mikko Hyppönen – @mikko
Geoff White – @geoffwhite247
Show notes:
- Three years in jail for teenager who spammed out school bomb threats, and made hoax call about hijacked plane — Graham Cluley.
- Schools bomb hoaxes: Bodycam shows George Duke-Cohan arrest — BBC News.
- Bomb Threat Hoaxer, DDos Boss Gets 3 Years — Krebs on Security.
- Estonian DDoS revenge worm crafter jailed — The Register.
- Canada could be at risk of ‘nasty’ retaliation from China — Vancouver Star.
- Bad news for scammers. Huawei executive Meng Wanzhou has been released on bail — Graham Cluley.
- Child advice chatbots fail to spot sexual abuse — BBC News.
- Alibaba already has a voice assistant way better than Google’s — MIT Technology Review.
- Making a Murderer — Netflix.
- Making a Murderer lawyer Kathleen Zellner is true crime's new star — BBC News.
- Rebutting a Murderer podcast — Spreaker.
- DOOM (Shareware Episode) — Internet Archive.
- Doom (1993 video game) — Wikipedia.
- Points of Egress — Love + Radio.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
- Support us on Patreon!
Sponsor: LastPass
LastPass Enterprise makes password security effortless for your organization.
LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.
Follow the show:
Follow the show on Bluesky at @smashingsecurity.com, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
Nice to hear from Mikko again