Twitter and the not-so-ethical hacking of celebrity accounts, study discovers how you can pay someone to quit Facebook for a year, and the millions of dollars you can make from uncovering software vulnerabilities.
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Maria Varmazis.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
As an American, I have no idea who they are.
I've sat behind Louis Theriault on an aeroplane.
It's like we're there right now.
Did you try and lick his hair?
No.
Is that a thing that you normally do?
Smashing Security, episode 110. What? You can get paid to leave Facebook? With Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 110.
My name is Graham Cluley.
My name is Graham Cluley.
And I'm Carole Theriault.
And we're joined for this brand new 2019 episode by a returning special guest, Maria Varmazis. Hello, Maria.
Hello.
Hello, Maria.
Hello, Carole. Welcome back.
How are you?
I am great. Let's do the whole podcast this way. Let's keep it up. Oh my God, I could do it.
Yes, right. So everything good with you, Maria? You had a good break?
Oh, it was made extra special by receiving some Texan single malt whiskey in the mail from a listener named Adam, who's a buddy of mine. So thank you, Adam.
Sorry, a Smashing Security listener?
Yes.
Sorry, sent you whiskey?
Yes, which I'm totally open to receiving at any time from all listeners, for the record.
So hang on, hang on, this is my 110th episode and no one sent me any whiskey. How many bottles of whiskey have you received?
I'd rather not say.
Oh, okay.
Okay, no, really, zero. Actually, I don't mind because I'm not drinking at the moment. This is a 2019 New Year's resolution.
Oh, for the whole year or just for January?
January. What if I make it to the end of the week? It's a haram.
Some people try to go all of January without drinking. It's a thing.
Good luck with that. Now, we have a doozy of a show for you this week.
Graham tries to find out how much it would cost to get Maria off Facebook. No! Maria slaps Twitter's fingers for ignoring a reported problem with their service for more than 6 years.
And I look into bug bounty programs. Turns out they're not all created equal. All this and much more coming up on Smashing Security.
And I look into bug bounty programs. Turns out they're not all created equal. All this and much more coming up on Smashing Security.
Recorded Future believes that every security team can benefit from checking out their free Threat Intelligence Handbook, which offers practical steps for applying threat intelligence in any organization.
For anyone who is baffled by threat intelligence and the benefits it can bring to your company, this is the book for you. It's an easy-to-read guide.
It'll help you understand why threat intelligence is an essential part of every organization's defense against the latest cyber attacks.
Download your free copy now by visiting smashingsecurity.com/intelligence.
For anyone who is baffled by threat intelligence and the benefits it can bring to your company, this is the book for you. It's an easy-to-read guide.
It'll help you understand why threat intelligence is an essential part of every organization's defense against the latest cyber attacks.
Download your free copy now by visiting smashingsecurity.com/intelligence.
Are you not running a password manager in your organization? What are you thinking? May I invite you to check out LastPass Enterprise? Just go to this URL: lastpass.com/smashing.
God, I find that so hard to say. lastpass.com/smashing. Here you can learn all about what password managers can do for your firm.
You can download a Forrester report all about the topic, and you can learn more about LastPass enterprise.
I mean, if you want to solve poor password hygiene, if you fancy securing every password-protected entry point in your business, then put on your digital skates and slide on over to lastpass.com/smashing.
I use them, I heart them, so you should check them out. On with the show.
God, I find that so hard to say. lastpass.com/smashing. Here you can learn all about what password managers can do for your firm.
You can download a Forrester report all about the topic, and you can learn more about LastPass enterprise.
I mean, if you want to solve poor password hygiene, if you fancy securing every password-protected entry point in your business, then put on your digital skates and slide on over to lastpass.com/smashing.
I use them, I heart them, so you should check them out. On with the show.
Maria, the big question, it's on everyone's lips. Do you have a New Year's resolution?
Hell no. Absolutely not. Have you ever done—
Ever had one?
I'm sure when I was more optimistic, yes, but I now know it's just setting myself up for failure, so I just don't bother.
Okay, well, look, we are going to suggest one to you, and that is to get you off Facebook once and for all for your sanity.
To protect you. It's good for you.
This actually is an intervention. You thought you were coming on as a podcast guest.
Oh no!
We are actually— this is— It's all a setup.
Is that why my mom's here?
Yeah, sit down and buckle up, Maria.
That's it. Or we'll buckle you up around the back, actually. This is the thing, right? We want to wean people off Facebook for their own sanity.
And I'm interested in what it would actually take. Could I bribe you, Maria, with money to leave Facebook?
And I'm interested in what it would actually take. Could I bribe you, Maria, with money to leave Facebook?
Ooh, interesting concept. How much would it cost to pull you off Facebook?
I mean, technically nothing, but I don't know. I've never thought about it. Yeah.
Well, think about how much value you get out of it.
Very little.
So $500?
Could you quit for a year for $500 of your US dollars?
Of my US dollars, which is now worth very little. Thank you, stock market.
Well, compared to British pounds, I think it's about $50 is worth about 97,000 British pounds, I believe.
So what about Zimbabwean dollars? Are we there yet? What, 2 billion?
Anyway, listen, some people are actually turning to money as an incentive to quit Facebook.
6 years ago, for instance, there was a news report about a chap called Paul Bayer, and his teenage daughter was getting a little bit sick of Facebook.
And so she asked him, hey, Dad, would you pay me $200 to quit Facebook? Presumably she said it in a Boston accent.
6 years ago, for instance, there was a news report about a chap called Paul Bayer, and his teenage daughter was getting a little bit sick of Facebook.
And so she asked him, hey, Dad, would you pay me $200 to quit Facebook? Presumably she said it in a Boston accent.
Where is she from?
I think she's sort of Massachusetts.
Yeah, they're from Wellesley, so they don't talk like that.
No one talks like that.
No one talks like that.
Anyway, he agreed. And he wrote up a contract which he got her to sign, as he told a TV station over there.
It turns out that Paul Byers' 14-year-old daughter was serious about quitting Facebook. So earlier this week, the Wellesley father and daughter signed a contract.
And I'll have access to her Facebook.
It turns out that Paul Byers' 14-year-old daughter was serious about quitting Facebook. So earlier this week, the Wellesley father and daughter signed a contract.
And I'll have access to her Facebook.
Oh, I love the bit where they have a laptop bouncing on the hood of the news van. It's like, this is what a computer is. This is what Facebook looks like.
For those at home who don't know.
For those at home who don't know.
She's pretty good about honoring a contract.
Oh, and the guy's got a Sox cap on in the story. I love my home state, it's so predictable.
And so she wants to leave Facebook and she wants to get paid to do it. Not bad.
Yeah, as a little incentive. And he agreed.
Amazing.
Now it got me thinking, you know, how much would it take to get people to quit Facebook? How much money would they have to be given?
And it's not just me who's thinking this, a series of boffins have also been exploring this question, and they have determined in a brand new study that the average person would need to be paid more than $1,000 to agree to stop using the social network.
And it's not just me who's thinking this, a series of boffins have also been exploring this question, and they have determined in a brand new study that the average person would need to be paid more than $1,000 to agree to stop using the social network.
God, I feel so cheap now. I did it for free.
It'd be good, wouldn't it, if there was some charity which popped up and said, oh yeah, we'll look out, you know, you could give your money to the starving in Africa or to—
Or to Carole Theriault, who gave up Facebook for a year. Exactly.
We do a charity song for Carole because she's given up on Facebook.
Do they know that Facebook really sucks? No, no.
Copyright. Get Bob Geldof on us now.
Don't sue me. Please don't sue me.
Now, this study by 3 economists and a social media researcher was published on the Public Library of Science website, and it describes how they ran a series of real-life auctions with real genuine money.
And they asked over 1,200 people to bid on how much money they would need to quit the social network for as little as an hour or even up to a year.
Now, the way this works, these sort of auctions, is it's kind of crazy, isn't it? Because if you say, well, please give me $20,000, right?
And they asked over 1,200 people to bid on how much money they would need to quit the social network for as little as an hour or even up to a year.
Now, the way this works, these sort of auctions, is it's kind of crazy, isn't it? Because if you say, well, please give me $20,000, right?
Yeah.
And I'll quit Facebook.
Sure.
Right? That's not quite how it happens. What happens is this: they give the money to the lowest bidder.
So the lowest bidder who agrees to sell their Facebook access gets the amount of money of the second lowest bid.
So in this way, people actually bid a realistic amount for what they would be happy to receive.
So the lowest bidder who agrees to sell their Facebook access gets the amount of money of the second lowest bid.
So in this way, people actually bid a realistic amount for what they would be happy to receive.
Sorry, don't follow. Do not compute.
They're trying to get people to stop inflation on the bids, basically. So the people who lowball are probably the people who are closest to the real value, is their guess. Right.
So they commit, they commit in advance to agreeing for the price of the second lowest bid. So that cuts out the really stupid bids.
Right, right, right. $1 million.
But, and it also, yes, it also cuts out anyone who puts out a really, really big bid as well.
Yeah.
So you go for the second lowest one in this particular setup because you're giving something away, you're not actually trying to win something.
So to receive the cash, they had to show a page from their Facebook settings showing the date when they deactivated their account and then when they reactivated their account, if they did bring it back after the year.
And they were also told that their accounts would be checked throughout the year to ensure compliance.
So to receive the cash, they had to show a page from their Facebook settings showing the date when they deactivated their account and then when they reactivated their account, if they did bring it back after the year.
And they were also told that their accounts would be checked throughout the year to ensure compliance.
Now, are they checking it? Surely you're activating it.
Oh no, I don't think— it's not logging in. I think maybe you're Facebook friends with the boffins.
Oh, they see if you're online or something.
I imagine, or posting. Now I find this all full of flaws, to be honest.
As a sort of shyster myself, I'm instantly thinking, I'll say that I'll give up for a year, but of course you just create another account, don't you?
As a sort of shyster myself, I'm instantly thinking, I'll say that I'll give up for a year, but of course you just create another account, don't you?
Is that what you did with the Smashing Security podcast page? Is there a shadow podcast page?
Hashing Smersh—
Hashing Smershmerdy.
Anyway, obviously there are ways around this, right? It's not entirely foolproof.
And you can imagine all kinds of ways in which you could game the system if you really, really wanted to.
They didn't really touch on that, but they do get this price of over $1,000. Now, some people refused to participate at all in the auction.
They said, you know, frankly, any deactivation of our Facebook account for a year would be so crippling. It's just not something we would ever welcome.
And you can imagine all kinds of ways in which you could game the system if you really, really wanted to.
They didn't really touch on that, but they do get this price of over $1,000. Now, some people refused to participate at all in the auction.
They said, you know, frankly, any deactivation of our Facebook account for a year would be so crippling. It's just not something we would ever welcome.
I can imagine for small businesses, that's the case, right? I mean, there's loads of web presences out there that only exist on Facebook. So people have shops there and stuff. Yeah.
Yeah. I could see that.
Yeah.
This wasn't actually asking businesses.
This was mostly asking sort of students, you know, just sort of lolling around, not doing very much, probably just updating their Instagram when they're not on Facebook.
You know, it was those sort of people who are mostly being questioned.
This was mostly asking sort of students, you know, just sort of lolling around, not doing very much, probably just updating their Instagram when they're not on Facebook.
You know, it was those sort of people who are mostly being questioned.
Very scientifically explained. Yes.
Yes.
And some of them, of course, said, oh, give me $50,000. They obviously hadn't understood the rules of the actual auction to realize that wasn't going to work.
So they were kicked out as well. But they ran 3 different auctions. The average bid for a year's worth of Facebook account deactivation was over $1,000.
So what it seems to me is that despite all of the scandals and the data privacy screw-ups we've seen over the last year and the headlines, the Cambridge Analytica, the vulnerabilities, the trolls from Russia, the fake news, the sloppy handling of private data, users are still valuing Facebook really highly.
You can't imagine anyone actually paying $1,000 for Facebook, can you?
So they were kicked out as well. But they ran 3 different auctions. The average bid for a year's worth of Facebook account deactivation was over $1,000.
So what it seems to me is that despite all of the scandals and the data privacy screw-ups we've seen over the last year and the headlines, the Cambridge Analytica, the vulnerabilities, the trolls from Russia, the fake news, the sloppy handling of private data, users are still valuing Facebook really highly.
You can't imagine anyone actually paying $1,000 for Facebook, can you?
It's interesting how people use Facebook to stay connected. It is the biggest connection tool, isn't it, really?
Yeah, it's got its tentacles in everything.
Yeah, it's, what, 2 billion users or something?
Yeah, it's not easy to extricate yourself from it. That's the problem that I have. So even if you barely use it anymore, getting off of it completely is a different story.
You kind of have to leave a toe in, even if you're not really using it much.
You kind of have to leave a toe in, even if you're not really using it much.
And I can understand, I mean, I don't know your reasons for being on Facebook, Maria, but I know you've got a young child, for instance.
She's not on there though.
No, right. But maybe you want to keep people updated regarding, you know, you and what you're doing, you know, you can set your privacy. No, don't do anything.
What are you doing on Facebook?
Coffee mornings?
No, I honestly, it's most of my family lives very far away and same thing with most of my friends. They've all scattered to the four corners of the earth to find their fortune.
So I mainly just post bullshit memes on Facebook and leave comments on what my friends post. So they don't come to me to find out what's going on.
But when people make an event or something, that's basically what I use it for. But I don't use it for photos. I don't post updates. I'm barely using it. So yeah.
So I mainly just post bullshit memes on Facebook and leave comments on what my friends post. So they don't come to me to find out what's going on.
But when people make an event or something, that's basically what I use it for. But I don't use it for photos. I don't post updates. I'm barely using it. So yeah.
But you're privacy conscious, you're security conscious. I wonder if it's not a thousand.
What the hell are you doing, Maria?
What would Facebook need to do to get people to leave in droves? What more could they possibly do?
Facebook can't do anything.
How much more can they fuck up before you decide to leave?
It's the critical mass of people. That's the problem.
So I saw over the Christmas, New Year's break, I saw a ton of people posting these long-winded statuses or notes saying, I'm going to leave Facebook because it's just gotten to be too much.
And they were, here are all my reasons.
And then every single one, a week after they said they would quit, they were, I found out that I can't really quit because too many of you are still on here.
I mean, it was so predictable. So I'd read all of these and go, yep, I know what's going to happen here. Make a big noise and then nobody leaves.
It's just that everybody else is still on there. So you can't leave because where are you going to find your friends?
So I saw over the Christmas, New Year's break, I saw a ton of people posting these long-winded statuses or notes saying, I'm going to leave Facebook because it's just gotten to be too much.
And they were, here are all my reasons.
And then every single one, a week after they said they would quit, they were, I found out that I can't really quit because too many of you are still on here.
I mean, it was so predictable. So I'd read all of these and go, yep, I know what's going to happen here. Make a big noise and then nobody leaves.
It's just that everybody else is still on there. So you can't leave because where are you going to find your friends?
Well, Graham and I are not there.
You found us.
Yeah, but you don't count.
We don't count as friends. You don't count. We're podcasters. Yeah.
You're just voices in the ether, you know. Yes, it all comes out now in 2019.
What needs to happen is everyone needs to leave at the same time.
You need some kind of Jonestown scenario, some sort of solar temple cult saying on October 31st, the aliens are going to land, we're all going to die, so we have to drink this juice beforehand.
The truth is, right? Oh, well, this is the truth as I see it, is that Facebook is an addiction. But you know what? Why not go cold turkey right now?
You need some kind of Jonestown scenario, some sort of solar temple cult saying on October 31st, the aliens are going to land, we're all going to die, so we have to drink this juice beforehand.
The truth is, right? Oh, well, this is the truth as I see it, is that Facebook is an addiction. But you know what? Why not go cold turkey right now?
Yeah, Maria.
But maybe going cold turkey is too difficult.
Maybe just like some folks are giving up drink, like Kroll, or stopping smoking for a month, maybe there should be a month when everyone tries to get past without logging into Facebook.
Maybe just like some folks are giving up drink, like Kroll, or stopping smoking for a month, maybe there should be a month when everyone tries to get past without logging into Facebook.
Yeah, just deactivate and see how long it takes you before you activate again. I'm sure it is so slippery to reactivate.
I'm sure you'll even just go to the pages, bing, bing, bing, boom. No Facebook February, make a commitment.
Interesting.
Yeah.
I could try that. I could give that a shot.
Well, no, no Facebook in February.
The thing is though, I have two Facebook accounts.
Oh, because you've got a work one or something?
Yeah, I've got a work one and a personal one, basically.
So it's a personal one.
Okay. Yep. Okay.
And you can come on at the end of February maybe and tell us how it was.
We'll check up on you.
Yeah, I can do a No Facebook February. Absolutely.
Okay, I'm off your list.
Okay. All right.
Because it's the shortest month of the year, so, you know, whatever gets you through, baby.
Maria, what story have you got for us this week?
Well, the long and short of it is, how nicely do you have to ask a company to fix a vulnerability if it's been around for, oh, I don't know, 5, 6, 7 years? They haven't fixed it.
It's been kicking around. What do you do?
It's been kicking around. What do you do?
Yeah, it's a crazy situation. The fact that when you go and report it and you don't hear anything back, what do you do? How frustrating.
Yeah. I mean, do you just continue to ask nicely or do you go tell the world?
So there's a security firm called Insignia, and they wanted to highlight a longstanding Twitter bug that has existed for 6 years.
And what they did, basically zero-day style, is they hijacked the accounts of various celebrities and posted phony tweets to their accounts to demonstrate how the zero-day worked.
Or I'm calling it a zero-day, whatever, if it is or not, you know, that's up for discussion.
So there's a security firm called Insignia, and they wanted to highlight a longstanding Twitter bug that has existed for 6 years.
And what they did, basically zero-day style, is they hijacked the accounts of various celebrities and posted phony tweets to their accounts to demonstrate how the zero-day worked.
Or I'm calling it a zero-day, whatever, if it is or not, you know, that's up for discussion.
6-year-old zero-day.
Yeah. It's kind of weird to call it that, but so they wanted to show it live. Right. They wanted to do it live.
Yep.
So to do that, they actually posted funny tweets to accounts of a bunch of people who I do not know, but Louis Theroux, Simon Cowder, Saira Khan, Eamon Holmes.
I don't know who these people are, but they're verified on Twitter. So I assume that they're very important.
I don't know who these people are, but they're verified on Twitter. So I assume that they're very important.
Very, very important. Well, I know who two of those are.
Yeah, I know who two of those are too.
Yes.
Okay.
So their names you recognize as an American. I have no idea who they are.
I've sat behind Louis Theroux on an airplane.
It's like we're there right now.
Did you try and lick his hair?
Is that a thing that you normally do, Graham?
I've sat on a sofa with Eamon Holmes. So those are the two I know.
Did you try to lick his hair? Okay, this is— we need another podcast for this because I need to explore what's going on there. That's okay.
So the Insignia was basically trying to show that there's a really remarkably simple problem with Twitter where if you know a user's phone number and that user has their phone number attached to account, which many of us have that for two-factor reasons, you can spoof a tweet or a retweet or a like to that person's account with very simple technical know-how basically.
So all you need to do is just basically send a text to Twitter with that person's phone number and a little bit of something else and there you go.
You've now posted a phony tweet to their Twitter account.
So the Insignia was basically trying to show that there's a really remarkably simple problem with Twitter where if you know a user's phone number and that user has their phone number attached to account, which many of us have that for two-factor reasons, you can spoof a tweet or a retweet or a like to that person's account with very simple technical know-how basically.
So all you need to do is just basically send a text to Twitter with that person's phone number and a little bit of something else and there you go.
You've now posted a phony tweet to their Twitter account.
OMG. This has been lurking around for 6 years and no one even cared.
It's madness, isn't it?
Yeah, so you know how we talked about in December about spammy promotional tweets on Twitter that have been the accounts that have been hijacked?
This to me seems a bit more under the radar, but sort of in that vein.
So you could post a nasty fake tweet to somebody's account and yeah, they could notice it and then delete it later.
But if that person's abandoned their account or something, you could really take over what they're putting out there and put all sorts of nasty shit out there in perpetuity. Yeah.
So that actually could be pretty dangerous if you think about it, malicious links or links to terrorist propaganda or you name it, that could get kind of gross pretty fast.
This to me seems a bit more under the radar, but sort of in that vein.
So you could post a nasty fake tweet to somebody's account and yeah, they could notice it and then delete it later.
But if that person's abandoned their account or something, you could really take over what they're putting out there and put all sorts of nasty shit out there in perpetuity. Yeah.
So that actually could be pretty dangerous if you think about it, malicious links or links to terrorist propaganda or you name it, that could get kind of gross pretty fast.
You know what? Ironically, if people did start doing that, Twitter would probably do something about it.
Interesting you say that. So Insignia said, you know, we've been waiting 6 years and rattling cans and throwing boots at Twitter's head and stuff, but they're not doing anything.
So we're tired of waiting. And so they decided to draw attention to the issue by, quote, ethically hacking accounts.
So we're tired of waiting. And so they decided to draw attention to the issue by, quote, ethically hacking accounts.
Mm-hmm.
They're ethically hacking. What does that mean? In their own words, they said they contacted the user notifying what was about to happen.
So we're gonna hijack your account, post some tweets to it. You can't stop us, but we're gonna do it. They then sent the passive command in order to send the tweet.
They then retweeted their own tweet with a link to their own blog post explaining what happened and how it works.
And then they offered to provide support to anyone who was concerned about the attack and wanted additional information on how to protect and secure themselves.
So they weren't hiding.
So we're gonna hijack your account, post some tweets to it. You can't stop us, but we're gonna do it. They then sent the passive command in order to send the tweet.
They then retweeted their own tweet with a link to their own blog post explaining what happened and how it works.
And then they offered to provide support to anyone who was concerned about the attack and wanted additional information on how to protect and secure themselves.
So they weren't hiding.
But they also didn't ask for any permission, did they?
Right. They did not. They were just we're going to do this. Heads up.
Yeah, because it's not Louis Theroux's fault, for example, that Twitter have this bug.
Correct.
Yet it's his account that has been smacked around looking— and he looks like a dumbass.
Yeah, yeah. And it's just this account has been hijacked ethically. It has been ethically hacked. Here's what's going on. It's really?
So just to be clear, they never had control over the accounts that they hijacked. They just were— they're just able to send those tweets.
And they were able— and they were pointing people to blog posts saying, yeah, this is us doing it. It's not the account owner.
We're totally taking accountability for what we're doing. So there's no mystery. And they communicated what's going on and how people can protect themselves.
But the folks who actually got their Twitter accounts compromised did not agree. So Simon Calder for— surprise!
So just to be clear, they never had control over the accounts that they hijacked. They just were— they're just able to send those tweets.
And they were able— and they were pointing people to blog posts saying, yeah, this is us doing it. It's not the account owner.
We're totally taking accountability for what we're doing. So there's no mystery. And they communicated what's going on and how people can protect themselves.
But the folks who actually got their Twitter accounts compromised did not agree. So Simon Calder for— surprise!
How completely unreasonable of them.
Right. So Simon Calder was interviewed by the BBC about this and he said—
Was he outraged?
No, he said he confirmed the attack had been done without his permission and he described it as, quote, tedious and annoying.
Okay, that's so English.
And it was an experience that had left him feeling unimpressed. Yes, I love it. So here's the funny thing. After all this, it actually—
This tactic worked.
It worked.
You see it?
Apparently Twitter has now actually fixed this problem because of these nasty tweets that Insignia sent out through other people's accounts.
They used zero-day tactics, sort of, I guess, sort of a stretch to get attention on this issue, on this really old problem with really questionable ethics, but it worked and the harm was minimal to the victims.
What do you think?
They used zero-day tactics, sort of, I guess, sort of a stretch to get attention on this issue, on this really old problem with really questionable ethics, but it worked and the harm was minimal to the victims.
What do you think?
One thing that I noticed, they are defining what they say ethical hacking is.
Right, they're saying ethical hacking is, well, we're coming clean and we're doing this, therefore it's fine.
Right, they're saying ethical hacking is, well, we're coming clean and we're doing this, therefore it's fine.
Yeah, they made this decision without talking to anybody.
Yeah, but by putting the word ethically in front of it doesn't make it ethical.
No.
Yeah.
Yeah, but it worked. And I'm sure for them, but it worked. That's for them, the end goal is get Twitter to fix their shit.
It was also arguably illegal what they did.
I don't think arguably, I think it is.
Well, you know, this was unauthorized access to other people's accounts. It wasn't done with their permission.
And in fact, a very similar stunt was performed just a couple of weeks before Insignia did it.
A guy I know called Richard de Vere, who's also known as the Anti-Social Engineer, he worked with Computer Weekly magazine, and with their agreement, as an experiment, he basically hijacked Computer Weekly's account and got them to post a message.
They knew that he was going to do it, but it was all under his control, and they then wrote that up.
Whereas Insignia— and they got an awful lot more PR attention from this— hacked into basically celebrity accounts and posted these messages and caused some concern.
Now, what's curious is Insignia have on their board, some of the top dogs at the company are actually former members of the Met Police and the Computer Crime Unit.
And in fact, a very similar stunt was performed just a couple of weeks before Insignia did it.
A guy I know called Richard de Vere, who's also known as the Anti-Social Engineer, he worked with Computer Weekly magazine, and with their agreement, as an experiment, he basically hijacked Computer Weekly's account and got them to post a message.
They knew that he was going to do it, but it was all under his control, and they then wrote that up.
Whereas Insignia— and they got an awful lot more PR attention from this— hacked into basically celebrity accounts and posted these messages and caused some concern.
Now, what's curious is Insignia have on their board, some of the top dogs at the company are actually former members of the Met Police and the Computer Crime Unit.
That's a great little bit of color.
You would expect them to know a thing or two about the computer crime laws. And it feels to me this was just a huge PR stunt. But even if this was—
Come on, 6 years! Well, yes.
You're right, that's not good at all. But Computer Weekly and the work done by the Antisocial Engineer had already raised awareness of this.
And it was in the public eye, albeit, you know, wasn't picked up by the Daily Mail and co. the way Insignia's stunt was because of the celebrity angle.
And it was in the public eye, albeit, you know, wasn't picked up by the Daily Mail and co. the way Insignia's stunt was because of the celebrity angle.
And the problem didn't go away.
Well, that was only days before they then did it and were claiming all the credit for having this amazing discovery. It's, well, this has been known for years.
Yep, yep. Yes, that's true.
I would imagine most of us would never want to update Twitter via SMS anyway, by sending an SMS message.
Not anymore. When Twitter first started though, I remember I actually used that method.
Yeah, maybe 10 years ago you might have done that. But I mean, I think for most of us it just became an impractical way to interact with the site.
And bad thing has been that, as far as I know, there hasn't been a way to turn that off.
And the PIN code, which Twitter could supply for you to use as a security measure to protect your account.
And so you had to send a message with your specific PIN code to update your account. That only worked in some countries. It didn't work in all countries.
I think it may be relevant that these particular attacks all appeared to happen against UK-based accounts. So things with Twitter and SMS work differently in different countries.
One thing to be aware of.
And bad thing has been that, as far as I know, there hasn't been a way to turn that off.
And the PIN code, which Twitter could supply for you to use as a security measure to protect your account.
And so you had to send a message with your specific PIN code to update your account. That only worked in some countries. It didn't work in all countries.
I think it may be relevant that these particular attacks all appeared to happen against UK-based accounts. So things with Twitter and SMS work differently in different countries.
One thing to be aware of.
Yep.
Yep.
You know what though?
It's a really good lesson though for people that have services with legacy functionality that's no longer popular.
Maybe turn it off.
Maybe turn it off. I've worked in big companies and people hate revisiting old code and deciding whether they should retire stuff. It's so boring and people hate doing it.
And this is what happens. They probably thought it wasn't important because it's a functionality that people don't use.
And this is what happens. They probably thought it wasn't important because it's a functionality that people don't use.
Or they forgot that it was even there.
Yeah.
And wouldn't it be great if Twitter now decides to change its default?
So if you create an account on Twitter now, wouldn't it be great if all this SMS nonsense which the vast majority of people would never need, was disabled by default.
And you had to knowingly turn it on and say, "Yes, I want to be able to interact with my account via SMS." I just wanted to ask a quick question.
So if you create an account on Twitter now, wouldn't it be great if all this SMS nonsense which the vast majority of people would never need, was disabled by default.
And you had to knowingly turn it on and say, "Yes, I want to be able to interact with my account via SMS." I just wanted to ask a quick question.
Do you think we're gonna see other people trying to do this kind of stunt work, this kind of bullshit stunt work that, I mean, we see it all the time anyway, but since this actually worked, is this gonna create a lot of copycats?
Well, that's a real danger, isn't it?
Yeah.
Is that seeing anyone in the security community think, "Oh, the computer crime laws don't account.
They don't cover us, you know, they don't abide by us, and so therefore we can go and do what we want." It does kind of give the green light to others to do similar things.
And I think most people in the security research community think, no, what happened here was wrong.
They don't cover us, you know, they don't abide by us, and so therefore we can go and do what we want." It does kind of give the green light to others to do similar things.
And I think most people in the security research community think, no, what happened here was wrong.
It shouldn't have been done this way. It was irresponsible disclosure.
It wasn't just the disclosure, it was the fact that they—
They hacked something.
They abused other people's accounts without their permission.
You know, I could have tapped on Louis Theroux's shoulder when I was on the airplane and said, "Hey, Louis, do you mind when we land, can I lick your hair?" That's what they should have done, right?
You know, I could have tapped on Louis Theroux's shoulder when I was on the airplane and said, "Hey, Louis, do you mind when we land, can I lick your hair?" That's what they should have done, right?
Yes. Consent is a thing. Yeah.
You know, Graham, maybe for February you should give up Twitter.
Oh, yeah.
You keep going on at Maria.
Bollocks to that.
It's his podcast. He doesn't have to do that. You see?
Oh, how addiction is defensive.
Shall we go on?
I'm not talking to you anymore. So today we are skipping off to the wild world of bug bounty hunters. Can someone be a full-time bug bounty hunter and make a worthwhile career?
Basically make enough money to live. The thing is, we have oodles of listeners that are tech savvy, right?
So this could maybe be a surefire way that they might be able to make a living.
Bug hunting kind of evolved with tech savvy and curious guys and gals tinkering away, poking and prodding away at a new system or application or service.
If they found a serious bug or problem, many would report it to the company that was in charge of that service or application or whatever.
And they may be doing it for the kudos or to make the service less vulnerable for other users or whatever their motivation. Few expected to be paid for it in the early days.
And from a typical bug hunter point of view, the gold would come if the company publicly announced, thanks to the bug hunter's discovery and report, the company fixed the vulnerability before it was ever exploited, right?
And now that person got a good career ahead of them.
Basically make enough money to live. The thing is, we have oodles of listeners that are tech savvy, right?
So this could maybe be a surefire way that they might be able to make a living.
Bug hunting kind of evolved with tech savvy and curious guys and gals tinkering away, poking and prodding away at a new system or application or service.
If they found a serious bug or problem, many would report it to the company that was in charge of that service or application or whatever.
And they may be doing it for the kudos or to make the service less vulnerable for other users or whatever their motivation. Few expected to be paid for it in the early days.
And from a typical bug hunter point of view, the gold would come if the company publicly announced, thanks to the bug hunter's discovery and report, the company fixed the vulnerability before it was ever exploited, right?
And now that person got a good career ahead of them.
Good news.
Yeah, exactly. Now, a company with a zero-day vulnerability did not always respond predictably when they were told about it, right, Maria?
Mm-hmm.
As we've just seen.
So where one company might take it seriously, assess the report, and address the issue, another company might just ignore the messages from the security researcher, either not checking, you know, the public-facing email account to which the bug was sent or not prioritizing the problem.
So where one company might take it seriously, assess the report, and address the issue, another company might just ignore the messages from the security researcher, either not checking, you know, the public-facing email account to which the bug was sent or not prioritizing the problem.
Happens all the time. Yep. Sending the lawyer after the researcher is another one they love doing.
Yes.
Yeah. And this was the case, in fact, with the Equifax cyber snafu, right?
6 months after a security researcher first notified the company about the vulnerability, Equifax patched it, but only after the massive breach put millions and millions of people's personal info at risk.
6 months after a security researcher first notified the company about the vulnerability, Equifax patched it, but only after the massive breach put millions and millions of people's personal info at risk.
I am on the floor shocked. I can't get up. I just can't get over this. I know, but in a way, your blood should boil because it's so—
I mean, that makes it so fricking annoying. They were actually forewarned and did nothing, right?
And it's so ironic because if companies were thinking logically, it's of course much, much, much preferable to find out about a zero-day or a serious vulnerability directly and privately rather than having it splashed all over the news, as per your story, Maria.
And should the vulnerability end up making headlines, it's much, much better that said company can say, hey, we've already resolved it.
You know, they don't have to deal with the media fallout as well as the vulnerability.
And it's so ironic because if companies were thinking logically, it's of course much, much, much preferable to find out about a zero-day or a serious vulnerability directly and privately rather than having it splashed all over the news, as per your story, Maria.
And should the vulnerability end up making headlines, it's much, much better that said company can say, hey, we've already resolved it.
You know, they don't have to deal with the media fallout as well as the vulnerability.
Security.
So this is where bug hunter bounty firms fit in.
So these investor-backed fat cats are kind of streamlining the process as well as driving some serious revenue into the business model.
The main players in the space include HackerOne, Synack, and Bugcrowd. And these firms help run bug bounty programs for clients.
And they also seek out researchers to find vulnerabilities in return for a payout. So it's a nice little system, little ecosystem going.
So these investor-backed fat cats are kind of streamlining the process as well as driving some serious revenue into the business model.
The main players in the space include HackerOne, Synack, and Bugcrowd. And these firms help run bug bounty programs for clients.
And they also seek out researchers to find vulnerabilities in return for a payout. So it's a nice little system, little ecosystem going.
Okay.
HackerOne, for instance, say they pay just shy of $2,000 per vulnerability in 2017, for a critical vulnerability in 2017.
Is it them paying it though, or is it the company which had the vulnerability?
Well, how much has been paid out using their—
Oh, I see. Critical vulnerability, you get that kind of money. Oh, okay.
And then on Synack, they say about $650 per vulnerability, and that's not critical, but vulnerability. And they say some have paid up to $30,000 for uncovering critical bugs.
And then you've got Bugcrowd. They have about 3,000 people working for them, and they average between $1,000 and $2,000 for all bugs. So you can kind of see a price point there.
And then you've got Bugcrowd. They have about 3,000 people working for them, and they average between $1,000 and $2,000 for all bugs. So you can kind of see a price point there.
And I think it's good that people are finding the bugs who are basically doing the work of the software and hardware manufacturers, which they should have done.
Yes, they should be rewarded for finding these bugs and vulnerabilities.
Yes, they should be rewarded for finding these bugs and vulnerabilities.
Oh, absolutely. You know, all the time these guys are wasting, not finding stuff and therefore not getting paid for it.
Yeah.
Right? So, yeah, I mean, I'm surprised it's so low, but in comes this company called Zerodium.
Zerodium announced today, this is the day of recording on Tuesday, announced payments of up to $2 million for iOS hacks and $1 million for chat app exploits.
Zerodium announced today, this is the day of recording on Tuesday, announced payments of up to $2 million for iOS hacks and $1 million for chat app exploits.
But not just any iOS hacks, I would imagine, they're very specific ones, right?
Exactly. Now look, I've shown you their price list here and you can see some of the stuff that they are offering money for.
So if you can remotely jailbreak an Apple iOS, they'll give you $2 million for it.
So if you can remotely jailbreak an Apple iOS, they'll give you $2 million for it.
Yeah. Okay.
And that's up $500,000 from the previous year. So you can see this is big money and this has obviously gotten big headlines.
Now before you get excited, especially after the financial hit that was Christmas, Zerodium are a very different breed of bug bounty hunter firm.
They're certainly getting all these big headlines with their big payouts, but what they do with the vulnerabilities that they buy from independent researchers— so they pay the independent researcher for the exploit, but they don't sell it to the company.
They sell it to government intelligence services so that they can take advantage of these loopholes.
Now before you get excited, especially after the financial hit that was Christmas, Zerodium are a very different breed of bug bounty hunter firm.
They're certainly getting all these big headlines with their big payouts, but what they do with the vulnerabilities that they buy from independent researchers— so they pay the independent researcher for the exploit, but they don't sell it to the company.
They sell it to government intelligence services so that they can take advantage of these loopholes.
Eek. Eek. Oh, of course.
So law enforcement and intelligence agencies are kind of their target market.
Why? Because they're the ones with the money and they're the ones who really want to hack into somebody's iPhone.
Oh, yes.
And they want to use a vulnerability which hasn't been patched and which isn't going to become known to, for instance, Apple or Google.
This is the ultimate ethical issue here. The premise here is not to make the service safer, but to help authorities get access to information they really shouldn't have.
Finding a route into private messages, for instance.
Finding a route into private messages, for instance.
I'm sure something has been happening on the black market for ages. Just these are people working for somebody else and we didn't know about the transactions.
So this is sort of making it a little more visible.
But, you know, if you want these kinds of really hot-button vulns, you got to be willing to pay serious money because $1,000 is not going to get somebody's attention necessarily.
$1 million, $2 million. Yeah.
So this is sort of making it a little more visible.
But, you know, if you want these kinds of really hot-button vulns, you got to be willing to pay serious money because $1,000 is not going to get somebody's attention necessarily.
$1 million, $2 million. Yeah.
Yeah. CNN Business said Zerodium is a cyber arms dealer. It pays hackers to learn about their tactics, then packages and sells it to elite subscribers.
Now, the problem I have here is you're talking, Graham, I saw the article and the comment you just made about intelligence companies and governments having a lot more money to pay for these loopholes.
But I don't know, I poo-poo that a bit. I mean, Google and Apple are not hurting, right?
Now, the problem I have here is you're talking, Graham, I saw the article and the comment you just made about intelligence companies and governments having a lot more money to pay for these loopholes.
But I don't know, I poo-poo that a bit. I mean, Google and Apple are not hurting, right?
Amazon are not hurting. Yeah, but they don't want to get into a game where the price is constantly going up to extortionate, incredible levels for bugs being reported to them.
Remember T-Shirtgate in 2013? Yahoo were accused of paying for very serious bug finds, which is 4 XSS vulnerabilities. They paid with a t-shirt, a $12.50 t-shirt.
Yeah, but this is cross-site scripting. That's not a big deal.
That's no big deal.
That's no biggie.
But they did subsequently initiate a proper bug bounty program.
Because someone went public with the fact that they were pissed off with getting a $12.50 t-shirt.
But you can't go from one extreme to the other, Carole. You can't go from a $12 t-shirt to $2 million.
No, but listen, I was reading the story about Philippines-based bug bounty hunter Evan Rickaford, right?
He spends 75 hours a week, he says, looking for bugs, and he averages about $187 a month.
Now, before you think he's obviously very crap at his job, he has found vulnerabilities in products from over 200 companies.
And $187 is the average salary in the Philippines, but it certainly ain't for the US, UK.
He spends 75 hours a week, he says, looking for bugs, and he averages about $187 a month.
Now, before you think he's obviously very crap at his job, he has found vulnerabilities in products from over 200 companies.
And $187 is the average salary in the Philippines, but it certainly ain't for the US, UK.
Yeah.
It ain't gonna cut it.
No, that's like one burger.
Exactly. Depending on where you go.
Yeah.
So I guess the question is, do we think these bug hunting firms are valuable middle guys that might help grease the wheels for safer code and actually pay researchers what they deserve?
I'm not just talking about Zerodium here. I'm talking about bug hunting firms in general, like HackerOne or—
I'm not just talking about Zerodium here. I'm talking about bug hunting firms in general, like HackerOne or—
The likes of HackerOne are running the bug bounty programs for big tech firms, aren't they?
And so the tech firm partners up with HackerOne and says, these are the rules of our bug bounty program. This is the money. Please, can you run this for us?
Because we're a software company. We've got no idea how to run a bug bounty program. HackerOne isn't then selling them off to the highest bidder, those vulnerabilities.
Those vulnerabilities are only going to get passed on to the people who can actually fix the problem.
So the unpleasant thing here, I'm afraid, is Zerodium and its ilk, who are basically selling to the highest bidder.
Now, having said that, would it be any better if they were driven underground?
And so the tech firm partners up with HackerOne and says, these are the rules of our bug bounty program. This is the money. Please, can you run this for us?
Because we're a software company. We've got no idea how to run a bug bounty program. HackerOne isn't then selling them off to the highest bidder, those vulnerabilities.
Those vulnerabilities are only going to get passed on to the people who can actually fix the problem.
So the unpleasant thing here, I'm afraid, is Zerodium and its ilk, who are basically selling to the highest bidder.
Now, having said that, would it be any better if they were driven underground?
Yeah, because that's where this is going on anyway.
Wouldn't it be better if legitimate firms like HackerOne told their clients, hey, maybe up the bug bounty from $25, buddy?
Yeah, you gotta walk before you run though, right? I mean, if you think about the t-shirt game, in 2013, you were lucky if you got a response from somebody if you sent in a vuln.
And I don't think a lot of people were even paying any bounties back then. They're still kind of a new thing.
And I don't think a lot of people were even paying any bounties back then. They're still kind of a new thing.
Turns out if you find a bug in Twitter, you're lucky in 2018.
Right. So, I mean, the fact that bug bounties now exist and are being adopted is great progress compared to where we used to be just a few years ago.
So it'd be great if companies paid more. But I mean, the fact that some of them are doing it at all is like pulling teeth.
So it'd be great if companies paid more. But I mean, the fact that some of them are doing it at all is like pulling teeth.
Why don't the intelligence agencies use these vulnerability brokers against each other?
Why don't you go to vulnerability broker number one, get a hack which you then use against vulnerability broker number two to spy on their communications and all the vulnerabilities they are selling to other countries, and then you get all the rest of them for free?
Why don't you go to vulnerability broker number one, get a hack which you then use against vulnerability broker number two to spy on their communications and all the vulnerabilities they are selling to other countries, and then you get all the rest of them for free?
Or why not appeal to smart security researchers and say, before you get into bed for the highest price, why don't you find out what the information that you're providing them is going to be used for and who it's going to be sold to?
I think once you've sold it to the likes of Zerodium, you know, it's up to them what they do with it. You don't have any control over it.
It's out in the world. It's out in the wild.
Yes, but you can choose before, you know, who you partner with. If you found an exploit, you don't have to, you're not necessarily in bed with one player the entire time.
Absolutely right. And I think a lot of security researchers would feel very uncomfortable selling their exploit even for $2 million.
A lot of them would view it as an almost religious zealot-like thing. It was like, we have to tell the vendor.
A lot of them would view it as an almost religious zealot-like thing. It was like, we have to tell the vendor.
And thank the Lord for that.
Ethical security researchers, yes.
Yeah.
There are a lot of people who are going to go, $2 million is not enough, and I'm going to go elsewhere to find some cash.
Yeah, yeah, yeah.
So it's a thorny problem for sure.
I mean, all this said though, I think this industry of having bug bounty program marketplaces, not necessarily those that sell it to intelligence agencies, but actually help make, you know, security better and make services more secure.
I think it's percolating and it's going to settle, and I think it's going to be an industry.
You know, this certainly will prepare you well for a job in IT and cybersecurity if you start looking into bug bounties and how you can help companies make their security better.
I think it's percolating and it's going to settle, and I think it's going to be an industry.
You know, this certainly will prepare you well for a job in IT and cybersecurity if you start looking into bug bounties and how you can help companies make their security better.
I've had another evil thought.
Imagine you worked at one of these big tech companies, and you heard that there's the possibility of making $2 million, and you could actually embed something, a bug, inside the code.
Imagine you worked at one of these big tech companies, and you heard that there's the possibility of making $2 million, and you could actually embed something, a bug, inside the code.
You're stealing this from that story you told about the— was it the lottery guy? I don't know who told it, but it was on the podcast a few months ago.
David Bitner, about the lottery.
You're lifting stuff from Bitner now, man.
I know.
But that was the same premise.
I'm just saying, with $2 million on offer or that kind of money on offer.
Chump change, Graham. Chump change.
Yeah, but after taxes.
And welcome back. And you join us on our favourite part of the show, the part of the show that we like to call Pick of the Week.
Pick of the Week.
Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they like. Doesn't have to be security-related necessarily.
Could be a funny story book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they like. Doesn't have to be security-related necessarily.
Definitely should not be.
And my pick of the week this week is not security-related. It is very simple.
Huzzah!
It's a website, and it's a website with a .bg domain. Bulgaria, I believe. But it's—
Belgium?
I thought—
Oh no, that's .be, isn't it?
Yeah, I think .bg is Bulgaria. I think, I don't know. But anyway, it's nothing Bulgarian. It is a website called remove.bg, and if you go to remove.bg, something magical happens.
All you have to do is upload an image, a picture of a person, and remove.bg, better known as remove background, will remove the background.
So it gives you a transparent PNG file or a GIF with just the person.
So, Carole, if for instance I took a photograph of you or your loved one took a photograph of you and you had something embarrassing—
All you have to do is upload an image, a picture of a person, and remove.bg, better known as remove background, will remove the background.
So it gives you a transparent PNG file or a GIF with just the person.
So, Carole, if for instance I took a photograph of you or your loved one took a photograph of you and you had something embarrassing—
My loved one?
Have you just done it, Maria?
I just did. That actually worked. I gave it a really complicated photo with a lot of noise in it and stuff, and it did a great job.
It's pretty clever, isn't it?
Yeah.
I'm surprised that you slapped up a photo of yourself without checking the privacy policy, Maria.
Just uploaded a meme.
It's not a photo of me.
Oh.
Smart girl.
She's destroyed someone else's privacy.
Yeah.
So, Kroll, this is the thing though. If someone took a photograph of you and you had something embarrassing on the—
Like you behind me.
On the mantel shelf behind you, you know, and you thought, I don't want that in the picture because people will laugh, then put it through remove.bg.
You can do this kind of thing with Photoshop and other tools, of course. And normally I do.
I have a specific tool for doing this on my computer, but then I came across this site and it's so easy.
You can do this kind of thing with Photoshop and other tools, of course. And normally I do.
I have a specific tool for doing this on my computer, but then I came across this site and it's so easy.
Why is the picture on the home page of a girl with crazy hair? Oh, is that to show how amazing it is at cutting out the background with all the strands of hair? I understand.
Ah, this used to take so much time to do, manually in Photoshop. This is amazing and always looks shit when I did it.
I remember you doing something like this with a picture of Hamster, because you wanted a hamster to appear in a teacup. Do you remember?
Oh yeah, that was, that was, that's about 20 years ago. Yes, it was when I first started working.
There was a virus, it was called Hamster or something like that. Oh my God. We wanted to, and it was a storm in a teacup.
So you said, what we need is a picture of a hamster in a teacup.
So you said, what we need is a picture of a hamster in a teacup.
And I said, there you are with the lasso tool in Photoshop 2.
12 hours later, there's jaggedy edges everywhere. And then you're like, what the hell is anti-aliasing? And then yeah.
There is a drawback with remove.bg, which is that it is not compatible with hamsters. I have tried. It only recognizes—
Feed me a hamster.
It only recognizes human faces. You could put a human face on a hamster and then it might work, of course. That is possible. So there you go. Remove.bg is my pick of the week.
Thank you very much.
Thank you very much.
Not bad.
Not bad. Yeah, that was pretty cool. I like it. I'm adding that to my bookmarks. That's service-y.
Bookmark Maria. Maria, what's your pick of the week?
My pick of the week is a wee bit controversial, and—
Oh, that's refreshing.
Yeah, it's something that everyone I know has been talking about since it came out, and I just— I— it's my pick of the week simply because I want to get us talking about it, and I really want to hear your thoughts.
Okay, so my pick is the Marie Kondo show on Netflix called Tidying Up. And I will admit that I really enjoyed it. And I know a lot of people who hate it.
And the reason I like it is because mess and clutter drive me insane.
Marie Kondo, who is a Japanese organizational expert, she goes into people's houses and helps them get their stuff in order.
She has a TV show all about her specific tidying up philosophy.
So she goes to a lot of American homes in Southern California that are all extremely and kind of prestigious, a very gentle intervention to them and saying, let's just get your house a little more in order.
Let's get rid of all the extra shit you don't need. She doesn't say it like that. She's much nicer than me.
And it's done in a way that's very respectful to the people as well as to their things.
Okay, so my pick is the Marie Kondo show on Netflix called Tidying Up. And I will admit that I really enjoyed it. And I know a lot of people who hate it.
And the reason I like it is because mess and clutter drive me insane.
Marie Kondo, who is a Japanese organizational expert, she goes into people's houses and helps them get their stuff in order.
She has a TV show all about her specific tidying up philosophy.
So she goes to a lot of American homes in Southern California that are all extremely and kind of prestigious, a very gentle intervention to them and saying, let's just get your house a little more in order.
Let's get rid of all the extra shit you don't need. She doesn't say it like that. She's much nicer than me.
And it's done in a way that's very respectful to the people as well as to their things.
She doesn't sit there and go, fire up the incinerator!
This is not like that. It's very, very gentle. And you always end an episode feeling really good about everything that's happened for the most part.
It's the most— the only way I can think of it is the Great British Bake Off is really popular in the States. And now we have our own version of it.
It's a very gentle reality show that is a feel-good reality show where nobody's yelling at each other.
It's the most— the only way I can think of it is the Great British Bake Off is really popular in the States. And now we have our own version of it.
It's a very gentle reality show that is a feel-good reality show where nobody's yelling at each other.
It's great.
So I saw you put this on the list. So last night, I realized you were going to speak about this.
So I said to my wife, let's go and check out this TV show that Maria is going to talk about tomorrow.
So I said to my wife, let's go and check out this TV show that Maria is going to talk about tomorrow.
Let's see if it's worthy of our time.
And my wife said, Marie Kondo. I said, yes, have you heard of her? And she said, oh yeah, we've got books of hers cluttering up our bookshelves.
Missing the point. Yeah.
So we put on the show and I have to say the first episode I saw, I was thinking, what?
I couldn't understand it because this couple had a house which I thought was perfectly tidy, had considerable storage space compared to mine.
I couldn't understand it because this couple had a house which I thought was perfectly tidy, had considerable storage space compared to mine.
Oh yeah, the houses are all enormous because they're all in Southern California. It was enormous.
Yeah, I'm watching the show, I'm also American going, these houses are 5 times the size of mine and they can't see their kitchen countertop.
Meanwhile, my house is probably the size of their bathroom. I mean, it's just I can't, I don't understand what they're cluttering up with.
Yeah, I'm watching the show, I'm also American going, these houses are 5 times the size of mine and they can't see their kitchen countertop.
Meanwhile, my house is probably the size of their bathroom. I mean, it's just I can't, I don't understand what they're cluttering up with.
The first house in the first episode, I thought, okay, they're kicking off the series, let's see how good it gets. It was this is hardly untidy at all. They had 2 young kids.
And you—
And you—
Graham, I've seen your office.
This is very revealing about you, Graham, but go on.
Yeah, crow, crow. I know you've seen my office. This is in order to dampen any echo that I have items around me. Okay.
Oh, of course. That's why it was that 10 years ago as well.
It's for science. It's actually for science.
Yeah. You were preparing for your podcast future.
But there are shows on in Britain and maybe you have them in the States as well, which are seriously about hoarding.
Yes.
Where you actually have to tunnel into the house past the milk bottles full of urine and the newspaper collection.
Yes. Oh, there's a lot of those in the States. I can't watch them, but yes, they exist.
So I was expecting some of that rather than this rather petite sort of gentle sort of Japanese woman who was hoping that clothes sparked joy and you had to be respectful to the clothes.
It's very Shinto. I love it. She was a Shinto shrine maiden before she started doing this. And in Shinto, you believe that all objects have a spirit. So that's where that comes from.
I love it. I think it's great.
I love it. I think it's great.
Ooh, who's got the Japanese bugs as they travel?
I minored in Japanese in college.
Yeah.
That's true. That's true. Sorry, I take it back.
I didn't dislike it. I just thought, couldn't they have found some people who had less tidy homes?
Have you watched the whole series?
I've watched two episodes.
Okay, keep going.
And the second one, they did have a guy who had loads of baseball cards and a woman who had a huge mountain of ugly clothes.
Yeah, I mean, that house was insanely cluttered. You didn't think that was that bad?
You thought it was normal?
I mean, that house is the size of a football stadium and you couldn't see the floor. I don't know how much more cluttered you needed to get.
I mean, they had an entire bathroom they couldn't find anymore. I mean, I cannot relate to that.
I mean, they had an entire bathroom they couldn't find anymore. I mean, I cannot relate to that.
I just thought— I thought that when they had the before and after pictures, there should be more of a difference because it's like, oh, the before picture, oh look, now they've done it in moody black and white, and the after picture is in— It's hardly changed at all.
It's could they have not added another 10 minutes to the program? They could have sent someone in to put up some new shelves or something like that.
It's could they have not added another 10 minutes to the program? They could have sent someone in to put up some new shelves or something like that.
It's not a home renovation.
Well, that's what it needed. I wanted that Japanese woman to knock up some shelves or something.
Okay, Marie Kondo, whose name you can't even remember.
Yeah, Marie Kondo. She's a Brazilian air, so, you know, I don't think she's mad about it.
She's a Brazilian, is she?
Brazilian air, yes. She's got Brazilian air.
Maybe a billion Brazilians.
Yes.
Carole, what have you got for us?
So my pick of the week is a wonderfully told whodunit podcast series from New Hampshire Public Radio called Bear Brook. I listened to it during the Christmas hiatus and I loved it.
So in 1985, the bodies of a young woman and a little girl are found in a barrel in the woods of Allenstown, New Hampshire. And 30 years later, the cops still hadn't identified—
So in 1985, the bodies of a young woman and a little girl are found in a barrel in the woods of Allenstown, New Hampshire. And 30 years later, the cops still hadn't identified—
Is this true? Is this a—
Yes.
Real story? Oh, right.
Yes. There's 6 episodes that tackle the murders from a variety of different standpoints. They talk to residents, they talk to cops, they talk to amateur detectives.
There's a load of people that have been just obsessed with this whole case and trying to find out who these people are.
So the podcast introduces you to a serial killer known as the Chameleon. And really, it totally blew my mind. I actually— I think I listened to all 6 episodes in a row.
The case also led to massive changes in how murders will be investigated from now on.
And that's a little teaser because it has something to do with the topics that we sometimes talk about.
There's a load of people that have been just obsessed with this whole case and trying to find out who these people are.
So the podcast introduces you to a serial killer known as the Chameleon. And really, it totally blew my mind. I actually— I think I listened to all 6 episodes in a row.
The case also led to massive changes in how murders will be investigated from now on.
And that's a little teaser because it has something to do with the topics that we sometimes talk about.
Oh, go on, tell us. Go and give us a bit more of a hint than that.
I don't know if I can.
What? So is there something— is there something computer—
I don't know, just listen to it.
It's worth it.
It's worth it. There's something modern technology, and that has come in full force because of the internet, that plays a huge part in discovering who these people are.
Okay, it was DNA. Biometrics, maybe. Maybe you should listen.
So all I want to say is hat tip to the Bear Brook team, because I think it's just a great piece, a great production piece. I love it, and I want more of it.
So well done, and you guys should check it out. It's worth the time. So that's Bear Brook from New Hampshire Public Radio.
So well done, and you guys should check it out. It's worth the time. So that's Bear Brook from New Hampshire Public Radio.
Do they end up catching the chameleon or does he blend into the background?
Can you just— Yeah, they couldn't find him. Boom, boom.
Well, yeah.
On that piece of comedy gold, it's about time to wrap up the show for this week. Maria, I'm sure lots of listeners would love to follow you online.
What's the best way for them to do that?
What's the best way for them to do that?
They can find me on Twitter. I'm still on there, haven't quit it yet. So @mvarmazis, find me there.
You won't find her on Facebook in February though. You can also follow us on Twitter @SmashingSecurity, no G, Twitter won't allow us to have a G.
And you can check out our online store if you're interested in getting t-shirts and mugs and things like that at smashingsecurity.com/store.
And let me tell you, we don't make a single cent out of our store because, well, I'd like to say it's because we're really generous, but the truth is we just don't fancy dealing with the tax man.
And you can check out our online store if you're interested in getting t-shirts and mugs and things like that at smashingsecurity.com/store.
And let me tell you, we don't make a single cent out of our store because, well, I'd like to say it's because we're really generous, but the truth is we just don't fancy dealing with the tax man.
Thank you to all our listeners who listen to us every week. Thank you to our sponsors, LastPass and Recorded Future.
And if you want to help us out, the best way you can do that is by telling your friends to listen to the show.
And if you want to help us out, the best way you can do that is by telling your friends to listen to the show.
Fantastic. Okay, until next time. Cheerio. Bye-bye.
Bye. Happy New Year.
Happy New Year.
Now, Maria, I owe you an apology.
Oh?
Because my husband decided to watch The Good Place. Remember, I pooped?
You did, you did. Yeah.
And I have to admit, when he started watching it, I was like, oh, it's better than I thought. And I remembered that I did watch it, but very peripherally.
I was doing some kind of project or something, so, you know, it was on, but I wasn't fully watching it. And I actually think I missed most of the plot.
So I wanted to say it is a good show, and you've got my thoughts.
I was doing some kind of project or something, so, you know, it was on, but I wasn't fully watching it. And I actually think I missed most of the plot.
So I wanted to say it is a good show, and you've got my thoughts.
Oh, I'm so glad to hear it. I really, I really enjoy it.
Thank you for watching.
Oh, you're very welcome. That makes me so happy. Thank you.
It's good to know that we can change our opinion sometimes, isn't it, Carole?
Yes, Graham, it is.
Any change of opinion on the red pill? Remember Michael Hucks's pick of the week? No, it's still rubbish, isn't it?
Still shit.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
Maria Varmazis:
Show notes:
- Dad pays girl $200 to give up Facebook — YouTube.
- How much is social media worth? Estimating the value of Facebook by paying users to stop using it — PLOS.
- Being paid to quit Facebook — Graham Cluley.
- This account has been hijacked (temporarily)! — Insinia.
- Security firm hijacks high-profile Twitter accounts — BBC News.
- 'Serious' Twitter flaw allows hackers to post on other people's accounts — Computer Weekly.
- Twitter is Broken — The AntiSocial Engineer.
- About Twitter's SMS PIN feature — Twitter.
- How to Tweet via text message — Twitter.
- Earn $2,000,000 by remotely jailbreaking an iPhone — Graham Cluley.
- Zerodium Offers $2 Million for iOS Hacks, $1 Million for Chat App Exploits — Security Week.
- Life as a bug bounty hunter: a struggle every day, just to get paid — MIT Technology Review.
- Yahoo changes bug bounty policy following 't-shirt gate' — ZDNet.
- Equifax Was Warned — Motherboard.
- Remove Background from Image – remove.bg.
- 'Tidying Up With Marie Kondo' Is a Quiet Delight — The Atlantic.
- Tidying Up with Marie Kondo | Official Trailer — YouTube.
- Bear Brook podcast.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
- Support us on Patreon!
Sponsor: LastPass
LastPass Enterprise makes password security effortless for your organization.
LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.
Sponsor: Recorded Future
For anyone who is baffled by threat intelligence, and the benefits that it can bring to your company, this is the book for you. “The Threat Intelligence Handbook” is an easy-to-read guide will help you understand why threat intelligence is an essential part of every organisation’s defence against the latest cyber attacks.
Download it for free at www.smashingsecurity.com/intelligence now.
Follow the show:
Follow the show on Bluesky at @smashingsecurity.com, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
